Date: Wed, 29 Mar 2017 22:57:48 +0200 (CEST) From: Martin MATO <martin.mato@orange.fr> To: freebsd-pf@freebsd.org Subject: re: When should I worry about performance tuning? Message-ID: <404620925.34894.1490821068262.JavaMail.www@wwinf1g03> In-Reply-To: <ee6734e6caa6591c051c1d4ff66e9937@ultimatedns.net> References: <ee6734e6caa6591c051c1d4ff66e9937@ultimatedns.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Greetings. I don't understand some things. your machine is a mail relay/server, or you haved a host without any firewa= ll between him and the internet? =C2=A0 In the first case, you'll should prefer setting greylisting / tarpitting at= minimum, feeding a firewall table for blacklisting is a neverending story = (plus, there is some real chance blocking real MX relays). =C2=A0 and in the second case a basic pf configuration blocking any incoming attem= pts like: =C2=A0 set skip lo0 # skipping any filtering on lo0 ext_iface=3D"your_network_card_connected_to_internet" pass out quick on $ext_iface all block log quick on $ext_iface all =C2=A0 should be sufficient. for more information about optimizations,=C2=A0 man (5) pf.conf=C2=A0 shoul= d do the trick. =C2=A0 regards. =C2=A0 > Message du 29/03/17 22:05 > De : "Chris H"=20 > A : "FreeBSD pf"=20 > Copie =C3=A0 :=20 > Objet : When should I worry about performance tuning? >=20 > OK. My association with FreeBSD has made me a prime > target for every male hormone distributor on the net. > Fact is; I can guarantee ~89 SPAM attempts in under 5 > minutes, after creating a pr on bugzilla. At first I > was angry, and frustrated. But decided to make it a > challenge/contest, and see my way to thwarting their > attacks. Long story short; I think I'm on the right > track; In just over a month, I've managed to trap > just under 3 million (2,961,264) *bonafide* SPAM sources. > I've been honing, and tuning my approach to insure that > there are zero false positives, and at the same time, > make it more, and more efficient. > So now that I'm dropping packets from *so* many IP's > I'm wondering if it's not time to better tune pf(4). > I've never worked pf hard enough to do any more than > create a table, and a few simple rules. But I think I > need to do more. > Here's the bulk of what I'm using now: >=20 > ################################### > set loginterface re0 > set block-policy drop > set fingerprints "/etc/pf.os" > scrub in all > set skip on lo0 > antispoof quick for lo0 > antispoof for re0 inet >=20 > table persist file "/etc/SPAMMERS" > block in log quick on re0 proto tcp from to port {smtp, submission, > pop3, imap, imaps} > ################################### >=20 > Would set optimization be warranted? > Any thoughts, or advice greatly appreciated! >=20 > --Chris >=20 >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@freebsd.org Wed Mar 29 21:00:12 2017 Return-Path: <owner-freebsd-pf@freebsd.org> Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DCEA4D2423E for <freebsd-pf@mailman.ysv.freebsd.org>; Wed, 29 Mar 2017 21:00:12 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BE9519E6 for <freebsd-pf@freebsd.org>; Wed, 29 Mar 2017 21:00:11 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id v2TL0qKv045165; Wed, 29 Mar 2017 14:00:58 -0700 (PDT) (envelope-from bsd-lists@bsdforge.com) To: "Kristof Provost" <kristof@sigsegv.be> Cc: "FreeBSD pf" <freebsd-pf@freebsd.org> In-Reply-To: <9C2B6967-4475-4AC9-BA41-6227EF3511F9@sigsegv.be> References: <ee6734e6caa6591c051c1d4ff66e9937@ultimatedns.net>, <9C2B6967-4475-4AC9-BA41-6227EF3511F9@sigsegv.be> From: "Chris H" <bsd-lists@bsdforge.com> Subject: Re: When should I worry about performance tuning? Date: Wed, 29 Mar 2017 14:00:58 -0700 Content-Type: text/plain; charset=UTF-8; format=fixed MIME-Version: 1.0 Message-id: <dfd16bf2f6716539e1ab7ed43af0b90b@ultimatedns.net> Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/> List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Wed, 29 Mar 2017 21:00:13 -0000 On Wed, 29 Mar 2017 22:19:58 +0200 "Kristof Provost" <kristof@sigsegv.be> wrote > On 29 Mar 2017, at 22:06, Chris H wrote: > > OK. My association with FreeBSD has made me a prime > > target for every male hormone distributor on the net. > > Fact is; I can guarantee ~89 SPAM attempts in under 5 > > minutes, after creating a pr on bugzilla. At first I > > was angry, and frustrated. But decided to make it a > > challenge/contest, and see my way to thwarting their > > attacks. Long story short; I think I'm on the right > > track; In just over a month, I've managed to trap > > just under 3 million (2,961,264) *bonafide* SPAM sources. > > I've been honing, and tuning my approach to insure that > > there are zero false positives, and at the same time, > > make it more, and more efficient. > > So now that I'm dropping packets from *so* many IP's > > I'm wondering if it's not time to better tune pf(4). > > I've never worked pf hard enough to do any more than > > create a table, and a few simple rules. But I think I > > need to do more. > > Here's the bulk of what I'm using now: > > > > ################################### > > set loginterface re0 > > set block-policy drop > > set fingerprints "/etc/pf.os" > > scrub in all > > set skip on lo0 > > antispoof quick for lo0 > > antispoof for re0 inet > > > > table <spammers> persist file "/etc/SPAMMERS" > > block in log quick on re0 proto tcp from <spammers> to port {smtp, > > submission, > > pop3, imap, imaps} > > ################################### > > > > Would set optimization be warranted? > > Any thoughts, or advice greatly appreciated! > > > If I’m reading the code right the table lookup already uses a radix > table > internally, so I would already expect this to perform as well as it’s > going to. > > Arguably you could just drop all traffic from them on all interfaces, > but I > doubt that’ll make a huge difference. > Thanks for the reply, Kristof! If it makes any difference. All the IP's in the table are in CIDR notation, and are of either www.xxx.yyy.0/24, or www.xxx.yyy.zzz/32 It seemed that would be the most efficient approach -- to me, anyway. :-) Thanks again! --Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?404620925.34894.1490821068262.JavaMail.www>