From owner-freebsd-pf@freebsd.org Sat Oct 7 06:08:29 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8041DE2EEFF for ; Sat, 7 Oct 2017 06:08:29 +0000 (UTC) (envelope-from dave@horsfall.org) Received: from viclamta18p.bpe.bigpond.com (viclamta18p.bpe.bigpond.com [203.38.21.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "", Issuer "Openwave Messaging Inc." (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 5B5C0839F3 for ; Sat, 7 Oct 2017 06:08:26 +0000 (UTC) (envelope-from dave@horsfall.org) Received: from smtp.telstra.com ([10.10.26.4]) by viclafep28p-svc.bpe.nexus.telstra.com.au with ESMTP id <20171007055111.NKPL25234.viclafep28p-svc.bpe.nexus.telstra.com.au@smtp.telstra.com> for ; Sat, 7 Oct 2017 16:51:11 +1100 X-RG-Spam: Unknown X-Junkmail-Premium-Raw: score=7/83, refid=2.7.2:2017.10.7.44816:17:7.944, ip=, rules=__HAS_FROM, __TO_MALFORMED_2, __TO_NAME, __TO_NAME_DIFF_FROM_ACC, __BOUNCE_CHALLENGE_SUBJ, __BOUNCE_NDR_SUBJ_EXEMPT, __IN_REP_TO, __HAS_MSGID, __SANE_MSGID, __REFERENCES, __USER_AGENT, __MIME_VERSION, __CT, __CT_TEXT_PLAIN, __ANY_URI, __URI_NO_MAILTO, __URI_NO_WWW, __SUBJ_ALPHA_NEGATE, __FORWARDED_MSG, __NO_HTML_TAG_RAW, BODYTEXTP_SIZE_3000_LESS, BODY_SIZE_2000_2999, __MIME_TEXT_P1, __MIME_TEXT_ONLY, HTML_00_01, HTML_00_10, BODY_SIZE_5000_LESS, IN_REP_TO, MSG_THREAD, __TO_REAL_NAMES, LEGITIMATE_SIGNS, __MIME_TEXT_P, REFERENCES, NO_URI_HTTPS, BODY_SIZE_7000_LESS Received: from aneurin.horsfall.org (110.141.193.233) by smtp.telstra.com (9.0.019.16-1) id 59D67FC900357623 for freebsd-pf@freebsd.org; Sat, 7 Oct 2017 16:51:11 +1100 Received: from aneurin.horsfall.org (localhost [127.0.0.1]) by aneurin.horsfall.org (8.15.2/8.15.2) with ESMTP id v975p9gR007161 for ; Sat, 7 Oct 2017 16:51:09 +1100 (EST) (envelope-from dave@horsfall.org) Received: from localhost (dave@localhost) by aneurin.horsfall.org (8.15.2/8.15.2/Submit) with ESMTP id v975p8Rp007158 for ; Sat, 7 Oct 2017 16:51:09 +1100 (EST) (envelope-from dave@horsfall.org) X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs Date: Sat, 7 Oct 2017 16:51:08 +1100 (EST) From: Dave Horsfall To: FreeBSD PF List Subject: Re: Rate-limiting in PF In-Reply-To: Message-ID: References: <3dc9c2a9-ae68-1e56-d2b1-12530772690f@unsane.co.uk> User-Agent: Alpine 2.21 (BSF 202 2017-01-01) X-GPG-Public-Key: http://www.horsfall.org/gpgkey.pub X-GPG-Fingerprint: 05B4 FFBC 0218 B438 66E0 587B EF46 7357 EF5E F58B X-Home-Page: http://www.horsfall.org/ X-Witty-Saying: "chmod 666 the_mode_of_the_beast" MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Oct 2017 06:08:29 -0000 On Thu, 5 Oct 2017, Dave Horsfall wrote: >> is anything added to the table (pfctl -t woodpeckers -T show) > > I have lots of them because I've been adding them by hand, but this time > I'll hold back and observe, just to be sure. No, they are not being added; here's an extract from the mail log: Oct 7 15:21:28 aneurin sm-mta[6908]: v974LI1n006908: [37.49.224.104] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 7 15:21:48 aneurin sm-mta[6909]: v974Lcwj006909: [37.49.224.104] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 7 15:21:59 aneurin sm-mta[6910]: v974LnTe006910: [37.49.224.104] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 7 15:22:13 aneurin sm-mta[6923]: v974M2QU006923: [37.49.224.104] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 7 15:22:24 aneurin sm-mta[6924]: v974MGKm006924: [37.49.224.104] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 7 15:22:35 aneurin sm-mta[6925]: v974MOQW006925: [37.49.224.104] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 7 15:22:45 aneurin sm-mta[6926]: v974MZOZ006926: [37.49.224.104] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 7 15:22:56 aneurin sm-mta[6927]: v974MkO2006927: [37.49.224.104] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 7 15:23:07 aneurin sm-mta[6928]: v974MvjQ006928: [37.49.224.104] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 7 15:23:18 aneurin sm-mta[6930]: v974N7c3006930: [37.49.224.104] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 7 15:23:38 aneurin sm-mta[6931]: v974NRZM006931: [37.49.224.104] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct 7 15:23:49 aneurin sm-mta[6932]: v974NcYF006932: [37.49.224.104] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 "pfctl -t woodpeckers -T show | grep 37.49.224.104" is empty. But wait... It looks for all the world like they are deliberately stopping after 5/m without getting blocked, waiting a bit, then starting up again... Either that, or the block is not "sticking" for some reason. Hence my question: can anyone state unequivocally that the rate limiting does indeed work (pref. with proof) and that I am doing something subtly wrong, and if so what is it? In the meantime, I've enabled logging on the rate-limited packets, to see if that sheds a little more light. If/when confirmed as a PF bug I'll report it accordingly, as I prefer to eliminate my own stupidity first :-) -- Dave Horsfall DTM (VK2KFU) "Those who don't understand security will suffer."