Date: Wed, 29 Mar 2017 22:19:58 +0200 From: "Kristof Provost" <kristof@sigsegv.be> To: "Chris H" <bsd-lists@bsdforge.com> Cc: "FreeBSD pf" <freebsd-pf@freebsd.org> Subject: Re: When should I worry about performance tuning? Message-ID: <9C2B6967-4475-4AC9-BA41-6227EF3511F9@sigsegv.be> In-Reply-To: <ee6734e6caa6591c051c1d4ff66e9937@ultimatedns.net> References: <ee6734e6caa6591c051c1d4ff66e9937@ultimatedns.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 29 Mar 2017, at 22:06, Chris H wrote: > OK. My association with FreeBSD has made me a prime > target for every male hormone distributor on the net. > Fact is; I can guarantee ~89 SPAM attempts in under 5 > minutes, after creating a pr on bugzilla. At first I > was angry, and frustrated. But decided to make it a > challenge/contest, and see my way to thwarting their > attacks. Long story short; I think I'm on the right > track; In just over a month, I've managed to trap > just under 3 million (2,961,264) *bonafide* SPAM sources. > I've been honing, and tuning my approach to insure that > there are zero false positives, and at the same time, > make it more, and more efficient. > So now that I'm dropping packets from *so* many IP's > I'm wondering if it's not time to better tune pf(4). > I've never worked pf hard enough to do any more than > create a table, and a few simple rules. But I think I > need to do more. > Here's the bulk of what I'm using now: > > ################################### > set loginterface re0 > set block-policy drop > set fingerprints "/etc/pf.os" > scrub in all > set skip on lo0 > antispoof quick for lo0 > antispoof for re0 inet > > table <spammers> persist file "/etc/SPAMMERS" > block in log quick on re0 proto tcp from <spammers> to port {smtp, > submission, > pop3, imap, imaps} > ################################### > > Would set optimization be warranted? > Any thoughts, or advice greatly appreciated! > If I’m reading the code right the table lookup already uses a radix table internally, so I would already expect this to perform as well as it’s going to. Arguably you could just drop all traffic from them on all interfaces, but I doubt that’ll make a huge difference. Regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9C2B6967-4475-4AC9-BA41-6227EF3511F9>