From owner-freebsd-pf@freebsd.org  Wed Mar 29 20:05:14 2017
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D19DBD24269
 for <freebsd-pf@mailman.ysv.freebsd.org>; Wed, 29 Mar 2017 20:05:14 +0000 (UTC)
 (envelope-from bsd-lists@bsdforge.com)
Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com
 [24.113.41.81])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id A837C1763
 for <freebsd-pf@freebsd.org>; Wed, 29 Mar 2017 20:05:14 +0000 (UTC)
 (envelope-from bsd-lists@bsdforge.com)
Received: from ultimatedns.net (localhost [127.0.0.1])
 by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id v2TK5s1W036932
 for <freebsd-pf@freebsd.org>; Wed, 29 Mar 2017 13:06:01 -0700 (PDT)
 (envelope-from bsd-lists@bsdforge.com)
To: "FreeBSD pf" <freebsd-pf@freebsd.org>
From: "Chris H" <bsd-lists@bsdforge.com>
Subject: When should I worry about performance tuning?
Date: Wed, 29 Mar 2017 13:06:01 -0700
Content-Type: text/plain; charset=UTF-8; format=fixed
MIME-Version: 1.0
Message-id: <ee6734e6caa6591c051c1d4ff66e9937@ultimatedns.net>
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2017 20:05:14 -0000

OK. My association with FreeBSD has made me a prime
target for every male hormone distributor on the net.
Fact is; I can guarantee ~89 SPAM attempts in under 5
minutes, after creating a pr on bugzilla. At first I
was angry, and frustrated. But decided to make it a
challenge/contest, and see my way to thwarting their
attacks. Long story short; I think I'm on the right
track; In just over a month, I've managed to trap
just under 3 million (2,961,264) *bonafide* SPAM sources.
I've been honing, and tuning my approach to insure that
there are zero false positives, and at the same time,
make it more, and more efficient.
So now that I'm dropping packets from *so* many IP's
I'm wondering if it's not time to better tune pf(4).
I've never worked pf hard enough to do any more than
create a table, and a few simple rules. But I think I
need to do more.
Here's the bulk of what I'm using now:

###################################
set loginterface re0
set block-policy drop
set fingerprints "/etc/pf.os"
scrub in all
set skip on lo0
antispoof quick for lo0
antispoof for re0 inet

table <spammers> persist file "/etc/SPAMMERS"
block in log quick on re0 proto tcp from <spammers> to port {smtp, submission,
pop3, imap, imaps}
###################################

Would set optimization be warranted?
Any thoughts, or advice greatly appreciated!

--Chris