Date: Wed, 29 Mar 2017 22:57:48 +0200 (CEST) From: Martin MATO <martin.mato@orange.fr> To: freebsd-pf@freebsd.org Subject: re: When should I worry about performance tuning? Message-ID: <404620925.34894.1490821068262.JavaMail.www@wwinf1g03> In-Reply-To: <ee6734e6caa6591c051c1d4ff66e9937@ultimatedns.net> References: <ee6734e6caa6591c051c1d4ff66e9937@ultimatedns.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Greetings.
I don't understand some things.
your machine is a mail relay/server, or you haved a host without any firewa=
ll between him and the internet?
=C2=A0
In the first case, you'll should prefer setting greylisting / tarpitting at=
minimum, feeding a firewall table for blacklisting is a neverending story =
(plus, there is some real chance blocking real MX relays).
=C2=A0
and in the second case a basic pf configuration blocking any incoming attem=
pts like:
=C2=A0
set skip lo0 # skipping any filtering on lo0
ext_iface=3D"your_network_card_connected_to_internet"
pass out quick on $ext_iface all
block log quick on $ext_iface all
=C2=A0
should be sufficient.
for more information about optimizations,=C2=A0 man (5) pf.conf=C2=A0 shoul=
d do the trick.
=C2=A0
regards.
=C2=A0
> Message du 29/03/17 22:05
> De : "Chris H"=20
> A : "FreeBSD pf"=20
> Copie =C3=A0 :=20
> Objet : When should I worry about performance tuning?
>=20
> OK. My association with FreeBSD has made me a prime
> target for every male hormone distributor on the net.
> Fact is; I can guarantee ~89 SPAM attempts in under 5
> minutes, after creating a pr on bugzilla. At first I
> was angry, and frustrated. But decided to make it a
> challenge/contest, and see my way to thwarting their
> attacks. Long story short; I think I'm on the right
> track; In just over a month, I've managed to trap
> just under 3 million (2,961,264) *bonafide* SPAM sources.
> I've been honing, and tuning my approach to insure that
> there are zero false positives, and at the same time,
> make it more, and more efficient.
> So now that I'm dropping packets from *so* many IP's
> I'm wondering if it's not time to better tune pf(4).
> I've never worked pf hard enough to do any more than
> create a table, and a few simple rules. But I think I
> need to do more.
> Here's the bulk of what I'm using now:
>=20
> ###################################
> set loginterface re0
> set block-policy drop
> set fingerprints "/etc/pf.os"
> scrub in all
> set skip on lo0
> antispoof quick for lo0
> antispoof for re0 inet
>=20
> table persist file "/etc/SPAMMERS"
> block in log quick on re0 proto tcp from to port {smtp, submission,
> pop3, imap, imaps}
> ###################################
>=20
> Would set optimization be warranted?
> Any thoughts, or advice greatly appreciated!
>=20
> --Chris
>=20
>=20
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>
From owner-freebsd-pf@freebsd.org Wed Mar 29 21:00:12 2017
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
[IPv6:2001:1900:2254:206a::19:1])
by mailman.ysv.freebsd.org (Postfix) with ESMTP id DCEA4D2423E
for <freebsd-pf@mailman.ysv.freebsd.org>; Wed, 29 Mar 2017 21:00:12 +0000 (UTC)
(envelope-from bsd-lists@bsdforge.com)
Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com
[24.113.41.81])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id BE9519E6
for <freebsd-pf@freebsd.org>; Wed, 29 Mar 2017 21:00:11 +0000 (UTC)
(envelope-from bsd-lists@bsdforge.com)
Received: from ultimatedns.net (localhost [127.0.0.1])
by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id v2TL0qKv045165;
Wed, 29 Mar 2017 14:00:58 -0700 (PDT)
(envelope-from bsd-lists@bsdforge.com)
To: "Kristof Provost" <kristof@sigsegv.be>
Cc: "FreeBSD pf" <freebsd-pf@freebsd.org>
In-Reply-To: <9C2B6967-4475-4AC9-BA41-6227EF3511F9@sigsegv.be>
References: <ee6734e6caa6591c051c1d4ff66e9937@ultimatedns.net>,
<9C2B6967-4475-4AC9-BA41-6227EF3511F9@sigsegv.be>
From: "Chris H" <bsd-lists@bsdforge.com>
Subject: Re: When should I worry about performance tuning?
Date: Wed, 29 Mar 2017 14:00:58 -0700
Content-Type: text/plain; charset=UTF-8; format=fixed
MIME-Version: 1.0
Message-id: <dfd16bf2f6716539e1ab7ed43af0b90b@ultimatedns.net>
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>;
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2017 21:00:13 -0000
On Wed, 29 Mar 2017 22:19:58 +0200 "Kristof Provost" <kristof@sigsegv.be> wrote
> On 29 Mar 2017, at 22:06, Chris H wrote:
> > OK. My association with FreeBSD has made me a prime
> > target for every male hormone distributor on the net.
> > Fact is; I can guarantee ~89 SPAM attempts in under 5
> > minutes, after creating a pr on bugzilla. At first I
> > was angry, and frustrated. But decided to make it a
> > challenge/contest, and see my way to thwarting their
> > attacks. Long story short; I think I'm on the right
> > track; In just over a month, I've managed to trap
> > just under 3 million (2,961,264) *bonafide* SPAM sources.
> > I've been honing, and tuning my approach to insure that
> > there are zero false positives, and at the same time,
> > make it more, and more efficient.
> > So now that I'm dropping packets from *so* many IP's
> > I'm wondering if it's not time to better tune pf(4).
> > I've never worked pf hard enough to do any more than
> > create a table, and a few simple rules. But I think I
> > need to do more.
> > Here's the bulk of what I'm using now:
> >
> > ###################################
> > set loginterface re0
> > set block-policy drop
> > set fingerprints "/etc/pf.os"
> > scrub in all
> > set skip on lo0
> > antispoof quick for lo0
> > antispoof for re0 inet
> >
> > table <spammers> persist file "/etc/SPAMMERS"
> > block in log quick on re0 proto tcp from <spammers> to port {smtp,
> > submission,
> > pop3, imap, imaps}
> > ###################################
> >
> > Would set optimization be warranted?
> > Any thoughts, or advice greatly appreciated!
> >
> If I’m reading the code right the table lookup already uses a radix
> table
> internally, so I would already expect this to perform as well as it’s
> going to.
>
> Arguably you could just drop all traffic from them on all interfaces,
> but I
> doubt that’ll make a huge difference.
>
Thanks for the reply, Kristof!
If it makes any difference. All the IP's in the table are in CIDR
notation, and are of either www.xxx.yyy.0/24, or www.xxx.yyy.zzz/32
It seemed that would be the most efficient approach -- to me, anyway. :-)
Thanks again!
--Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?404620925.34894.1490821068262.JavaMail.www>