From owner-freebsd-stable@FreeBSD.ORG Sat Jun 16 20:14:37 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2A363106564A for ; Sat, 16 Jun 2012 20:14:37 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id 9393F8FC14 for ; Sat, 16 Jun 2012 20:14:36 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id q5GKESK9042387 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Sat, 16 Jun 2012 21:14:28 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: OpenDKIM Filter v2.5.2 smtp.infracaninophile.co.uk q5GKESK9042387 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1339877668; bh=9rfur+n42FzHckvfI1mFwITrmVM2h2gtacARrSB6oQ8=; h=Date:From:To:CC:Subject:References:In-Reply-To:Content-Type: Message-ID:Mime-Version; b=Clu+EbFnsMLpawW1rmuCTsNCaUMGQSppGIKwQNKVJmee9syHcF3cgooI3qM2Y+7LV cfZYnGuJfbh7eS4DiwwYdTYZdKpO4Rn77ba//9WRUcgJPNr+6LwmHyBZiVVGfUleYH 0z/Vqr/UWyEV/Y/9oHiTulhPbAuMYAkjUK98dhkg= Message-ID: <4FDCE91C.9040005@infracaninophile.co.uk> Date: Sat, 16 Jun 2012 21:14:20 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:13.0) Gecko/20120614 Thunderbird/13.0.1 MIME-Version: 1.0 To: prabhpal@digital-infotech.net References: <4360846ab93b3a2b1968ee0f262cf148.squirrel@mail.digital-infotech.net> <4FDB6490.8080509@infracaninophile.co.uk> <98c09d7edf95e0e07910e7e5ce46accc.squirrel@mail.digital-infotech.net> <4FDB6CBD.6080900@infracaninophile.co.uk> <738cbc31aa2dce5787dc85cafb3d02a6.squirrel@mail.digital-infotech.net> <69642fed4fe6d9fb794eaedf2557cd8f.squirrel@mail.digital-infotech.net> In-Reply-To: <69642fed4fe6d9fb794eaedf2557cd8f.squirrel@mail.digital-infotech.net> X-Enigmail-Version: 1.4.2 OpenPGP: id=60AE908C Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig5322E732B5595E22B756819F" X-Virus-Scanned: clamav-milter 0.97.4 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, DKIM_ADSP_ALL,DKIM_SIGNED,T_DKIM_INVALID autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Cc: freebsd-stable@freebsd.org Subject: Re: USE PF to Prevent SMTP Brute Force Attacks - Resolved !!! X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jun 2012 20:14:37 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig5322E732B5595E22B756819F Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 16/06/2012 21:03, Shiv. Nath wrote: > Dear Metthew, Matthew, one a, one e. > first thanks for assisting to secure 22/25 ports from brute force attac= k. > i wish to consult if the following white list looks fine to exclude > trusted networks (own network) >=20 >=20 >=20 > int0=3D"em0" > secured_attack_ports=3D"{21,22,25}" >=20 > table persist > block in log quick from > pass in on $int0 proto tcp \ > from any to $int0 port $secured_attack_ports \ > flags S/SA keep state \ > (max-src-conn-rate 5/300, overload flush global) >=20 >=20 > ## Exclude Own Netowrk From Brute-Force Rule ## >=20 > table persist {71.221.25.0/24, 71.139.22.0/24} > pass in on $int0 proto tcp from to any >=20 > OR >=20 > pass in on $int0 proto tcp from to secured_attack_ports ^^^^^^^^^^^^^^^^^^^^^ $secured_attack_ports You seem to have missed out a $ sign there. But, yes, other than that it looks good looks good. You want to move the table definitions up to the top of the file and as you've shown, you want your network specific rule after the more generic rate-limited accept rule: remember that (except for quick rules) it's the last matching rule in the ruleset that applies. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig5322E732B5595E22B756819F Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/c6SQACgkQ8Mjk52CukIyLIACfeCaDbqCoL+MPf1h17jkGKxS7 3Q0An3DnquxOx3pK5C/7CgYq0qQfiy/Q =ECC5 -----END PGP SIGNATURE----- --------------enig5322E732B5595E22B756819F--