From owner-freebsd-pf@FreeBSD.ORG Mon Feb 12 10:09:29 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 13ECC16A408 for ; Mon, 12 Feb 2007 10:09:29 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from farris.bafirst.com (adsl-065-081-102-002.sip.jan.bellsouth.net [65.81.102.2]) by mx1.freebsd.org (Postfix) with ESMTP id 8CE8A13C4A5 for ; Mon, 12 Feb 2007 10:09:28 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from HOME.encontacto.net ([189.129.2.116]) by farris.bafirst.com with esmtp; Mon, 12 Feb 2007 04:09:26 -0600 id 0006D415.45D03CD6.00005494 Received: from localhost (localhost [127.0.0.1]) (uid 80) by HOME.encontacto.net with local; Mon, 12 Feb 2007 04:09:25 -0600 id 0004AC20.45D03CD5.000060A7 Received: from dsl-189-129-2-116.prod-infinitum.com.mx (dsl-189-129-2-116.prod-infinitum.com.mx [189.129.2.116]) by correo.encontacto.net (Horde MIME library) with HTTP; Mon, 12 Feb 2007 04:09:24 -0600 Message-ID: <20070212040924.dspc2grhgkggwo00@correo.encontacto.net> X-Priority: 3 (Normal) Date: Mon, 12 Feb 2007 04:09:24 -0600 From: "eculp@encontacto.net" To: Volker References: <45C5D5DB.9050407@vwsoft.com> <20070208111755.81jaocgn4w880k4g@correo.encontacto.net> <45CC707C.5030608@vwsoft.com> <20070211085403.70hvjlstbks0wk8g@correo.encontacto.net> <45CF4A96.9030304@vwsoft.com> In-Reply-To: <45CF4A96.9030304@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.2-cvs) Cc: freebsd-pf@freebsd.org Subject: Re: SPAMD stop passing mail from WHITE-list X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Feb 2007 10:09:29 -0000 Quoting Volker : > Ed, > > On 02/11/07 15:54, eculp@encontacto.net wrote: >> Quoting Volker : >> >> I just set up a machine using your suggestions, correctly I hope ;) >> I have set it up as: >> >> block drop in quick on $ext_if from to any >> >> pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp keep >> state \ >> ( max-src-conn 5, max-src-conn-rate 80/90, overload flush >> global ) >> >> I'm still not flushing the table with tableexpire as I do with my >> bruteforce ssh table from crontab. I want to evaluate the entries for a >> while first. >> >> I chose max-src-conn 5 because that is the max number of connections per >> IP in courier. I assume that should work and if I change it, I would >> think that I should probably change the courier esmtpd configuration >> also. Time will tell I guess. > > Your rules are looking good so far. For the max-src-conn value you > have to check what value will be best for you. If you're using any > other server as a backup MX and you're final destination, a value of > 5 may be bad as postfix (for example) is using 5 as a concurrency > destination limit per default which might easily blow your overload > rule and your backup MX might get blocked. You should check if that > value really works for you so as to have not legitimate hosts being > blocked. Hi Volker, I'm keeping my eye on that, thanks, >>> I haven't found a way to use that mechanism to block such hosts for, >>> say 120 minutes (which would be a great feature). >> >> For my ssh-bruteforce table I am using a crontab entry to expire the >> entries every 30 minutes. Just in case I shoot myself in the foot, the >> pain is reduced to half an hour. ;) >> >> */30 * * * * root \ >> /usr/local/sbin/expiretable -t 3600 ssh-bruteforce >/dev/null 2&>1 > > It's ok if it does fit your needs but remember if a host is being > blocked by your overload rules at 12:29 it's getting unblocked at > 12:30. I haven't checked expiretable (really had it forgotten) which > might be a better solution as far as I remember expiretable right > from the ML discussion. It was/is a bit confusing but according to the examples in the manual =20 and in my testing a few months ago for ssh bruteforce, it seems to =20 work as the EXAMPLES The following removes any entries in table int.users older than one hour= : # expiretable -v -t 3600 int.users This example removes any entries in table int.users older than one and a half hour: # expiretable -v -t 1h30m int.users I'm not using it yet for smtp but probably will eventually but with a =20 minimum of a few days, > >> Thanks so much for sharing your configuration and advice. > > You're welcome! > > I've just written a small periodic script to have newly blocked IP > addresses being visible in the daily security report. > > If you'll want to use it, change the table name and copy the file to > /usr/local/etc/periodic/security/... and chmod it executable: > > > /usr/local/etc/periodic/security/710.blockedhosts: > #!/bin/sh > # show changes in IP addresses being blocked by pf > > # If there is a global system configuration file, suck it in. > if [ -r /etc/defaults/periodic.conf ] > then > . /etc/defaults/periodic.conf > source_periodic_confs > fi > > . /etc/periodic/security/security.functions > > rc=3D0 > > blocktable=3D${blocktable-"blockhosts"} > cmd=3D${cmd-"pfctl -t ${blocktable} -Ts"} > nc=3D`${cmd} | wc -l` > > ${cmd} | check_diff blockhosts - "${host} blocking host changes > (total ${nc} IP):" > #EOF > I was still missing the script and am going to install it now. Thanks ed P.S. The smtp settings seem to be working as expected so far. > Greetings, > > Volker > > > >