From owner-freebsd-pf@freebsd.org Wed Oct 4 23:56:02 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C9382E24120 for ; Wed, 4 Oct 2017 23:56:02 +0000 (UTC) (envelope-from vince@unsane.co.uk) Received: from vm.unsane.co.uk (unsane-pt.tunnel.tserv5.lon1.ipv6.he.net [IPv6:2001:470:1f08:110::2]) by mx1.freebsd.org (Postfix) with ESMTP id 9AE04772C2 for ; Wed, 4 Oct 2017 23:56:02 +0000 (UTC) (envelope-from vince@unsane.co.uk) Received: from [192.168.1.4] (vhoffman.plus.com [81.174.148.213]) by vm.unsane.co.uk (Postfix) with ESMTPSA id 5F417303A0 for ; Thu, 5 Oct 2017 00:56:01 +0100 (BST) Subject: Re: Rate-limiting in PF To: freebsd-pf@freebsd.org References: From: Vincent Hoffman-Kazlauskas Message-ID: <3dc9c2a9-ae68-1e56-d2b1-12530772690f@unsane.co.uk> Date: Thu, 5 Oct 2017 00:56:00 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Oct 2017 23:56:02 -0000 On 04/10/2017 23:02, Dave Horsfall wrote: > On Sun, 1 Oct 2017, Dave Horsfall wrote: > >> 10.3-RELEASE-p21 >> >> I am trying to restrict woodpecker attempts to my mail server (stupid >> spamware regards rejects and a long banner it as a challenge), and >> following advice on this list I used the following (the important bit, >> anyway): >> >>    # >>    # No more than 10/IP, or 5/m should be plenty. >>    # >>    pass inet proto tcp from any to any port smtp \ >>     flags S/SA keep state \ >>     (max-src-conn 10, max-src-conn-rate 5/60, \ >>     overload flush global) > > The max-src-conn-rate does not work according to the sample that I > posted, and now I am having severe doubts about max-src-conn after all: > > Oct  4 14:21:04 aneurin sm-mta[88518]: v943Ksrr088518: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  4 14:21:15 aneurin sm-mta[88519]: v943L4EC088519: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  4 14:21:25 aneurin sm-mta[88520]: v943LFfa088520: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  4 14:21:36 aneurin sm-mta[88521]: v943LQHr088521: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  4 14:21:47 aneurin sm-mta[88522]: v943LanO088522: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > > [...] > > Oct  4 15:50:57 aneurin sm-mta[89297]: v944okM0089297: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  4 15:51:07 aneurin sm-mta[89298]: v944ovWd089298: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  4 15:51:18 aneurin sm-mta[89299]: v944p8xQ089299: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  4 15:51:29 aneurin sm-mta[89300]: v944pImO089300: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > Oct  4 15:51:40 aneurin sm-mta[89301]: v944pTG2089301: [114.100.182.206] > did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 > > There were 498 in all.  So, does the rate-limiting work and I am doing > something wrong, or does it not work but is documented, and thus is > vapourware? > I'm a bit out of practice but IIRC what your rule does is if an ip hits those limits then add the ip to the woodpeckers table ie classification not policing. What rules do you have that act on that table? ie do you have a block rule like block drop quick from to any? is anything added to the table (pfctl -t woodpeckers -T show) If there is dont forget to expire them after a while unless you want them permanently banned, a cron with something like "pfctl -t woodpeckers -T expire 3600" iirc Vince