From owner-freebsd-pf@freebsd.org Wed Mar 29 20:20:00 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A3143D246AD for ; Wed, 29 Mar 2017 20:20:00 +0000 (UTC) (envelope-from srs0=zbbg=3g=sigsegv.be=kristof@venus.codepro.be) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6DF9A643 for ; Wed, 29 Mar 2017 20:20:00 +0000 (UTC) (envelope-from srs0=zbbg=3g=sigsegv.be=kristof@venus.codepro.be) Received: from [192.168.228.1] (vega.codepro.be [IPv6:2a01:4f8:162:1127::3]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id D6BC92AEE4; Wed, 29 Mar 2017 22:19:57 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sigsegv.be; s=mail; t=1490818797; bh=lreA/zpVMi76a4yblpHG/xxEQuzBxaBrKvnYCeKiXjU=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=A8ahfkI27e/8ntR6ZirL0pfPEJ6wIsWckIrN27TXG/c31U498BfQqUvclluASCMmq 1oGVFzz+pNx8YBn58TacIl3U1YNvYw/B1gfIoQbjNSpsQ/EMPvA/QD9TcJyWGJDcpW tsAK2hHQeWJV1Y+3VtXSy7tLnd/+gu/KWCsy9fEU= From: "Kristof Provost" To: "Chris H" Cc: "FreeBSD pf" Subject: Re: When should I worry about performance tuning? Date: Wed, 29 Mar 2017 22:19:58 +0200 Message-ID: <9C2B6967-4475-4AC9-BA41-6227EF3511F9@sigsegv.be> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6080) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Mar 2017 20:20:00 -0000 On 29 Mar 2017, at 22:06, Chris H wrote: > OK. My association with FreeBSD has made me a prime > target for every male hormone distributor on the net. > Fact is; I can guarantee ~89 SPAM attempts in under 5 > minutes, after creating a pr on bugzilla. At first I > was angry, and frustrated. But decided to make it a > challenge/contest, and see my way to thwarting their > attacks. Long story short; I think I'm on the right > track; In just over a month, I've managed to trap > just under 3 million (2,961,264) *bonafide* SPAM sources. > I've been honing, and tuning my approach to insure that > there are zero false positives, and at the same time, > make it more, and more efficient. > So now that I'm dropping packets from *so* many IP's > I'm wondering if it's not time to better tune pf(4). > I've never worked pf hard enough to do any more than > create a table, and a few simple rules. But I think I > need to do more. > Here's the bulk of what I'm using now: > > ################################### > set loginterface re0 > set block-policy drop > set fingerprints "/etc/pf.os" > scrub in all > set skip on lo0 > antispoof quick for lo0 > antispoof for re0 inet > > table persist file "/etc/SPAMMERS" > block in log quick on re0 proto tcp from to port {smtp, > submission, > pop3, imap, imaps} > ################################### > > Would set optimization be warranted? > Any thoughts, or advice greatly appreciated! > If I’m reading the code right the table lookup already uses a radix table internally, so I would already expect this to perform as well as it’s going to. Arguably you could just drop all traffic from them on all interfaces, but I doubt that’ll make a huge difference. Regards, Kristof