From owner-freebsd-pf@freebsd.org Thu Oct 5 04:43:41 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 56A83E2C587 for ; Thu, 5 Oct 2017 04:43:41 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from mx.als.nnov.ru (mx.als.nnov.ru [95.79.102.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 17A6683620 for ; Thu, 5 Oct 2017 04:43:40 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from [10.4.1.100] by mx.als.nnov.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87 (FreeBSD)) (envelope-from ) id 1dzxQs-000FcB-VV for freebsd-pf@freebsd.org; Thu, 05 Oct 2017 07:06:46 +0300 Subject: Re: Rate-limiting in PF To: freebsd-pf@freebsd.org References: From: Max Message-ID: Date: Thu, 5 Oct 2017 07:06:46 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-GB X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Oct 2017 04:43:41 -0000 I think, it is exactly 5 connections per 60 seconds. What does "pfctl -sS | grep 114.100.182.206" show? 05.10.2017 1:02, Dave Horsfall пишет: > On Sun, 1 Oct 2017, Dave Horsfall wrote: > >> 10.3-RELEASE-p21 >> >> I am trying to restrict woodpecker attempts to my mail server (stupid >> spamware regards rejects and a long banner it as a challenge), and >> following advice on this list I used the following (the important >> bit, anyway): >> >>    # >>    # No more than 10/IP, or 5/m should be plenty. >>    # >>    pass inet proto tcp from any to any port smtp \ >>     flags S/SA keep state \ >>     (max-src-conn 10, max-src-conn-rate 5/60, \ >>     overload flush global) > > The max-src-conn-rate does not work according to the sample that I > posted, and now I am having severe doubts about max-src-conn after all: > > Oct  4 14:21:04 aneurin sm-mta[88518]: v943Ksrr088518: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > Oct  4 14:21:15 aneurin sm-mta[88519]: v943L4EC088519: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > Oct  4 14:21:25 aneurin sm-mta[88520]: v943LFfa088520: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > Oct  4 14:21:36 aneurin sm-mta[88521]: v943LQHr088521: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > Oct  4 14:21:47 aneurin sm-mta[88522]: v943LanO088522: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > > [...] > > Oct  4 15:50:57 aneurin sm-mta[89297]: v944okM0089297: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > Oct  4 15:51:07 aneurin sm-mta[89298]: v944ovWd089298: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > Oct  4 15:51:18 aneurin sm-mta[89299]: v944p8xQ089299: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > Oct  4 15:51:29 aneurin sm-mta[89300]: v944pImO089300: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > Oct  4 15:51:40 aneurin sm-mta[89301]: v944pTG2089301: > [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection > to IPv4 > > There were 498 in all.  So, does the rate-limiting work and I am doing > something wrong, or does it not work but is documented, and thus is > vapourware? >