From owner-freebsd-pf@freebsd.org Wed Mar 29 20:57:59 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 61712D2419B for ; Wed, 29 Mar 2017 20:57:59 +0000 (UTC) (envelope-from martin.mato@orange.fr) Received: from smtp.smtpout.orange.fr (smtp04.smtpout.orange.fr [80.12.242.126]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client CN "Bizanga Labs SMTP Client Certificate", Issuer "Bizanga Labs CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id A67C3796 for ; Wed, 29 Mar 2017 20:57:57 +0000 (UTC) (envelope-from martin.mato@orange.fr) Received: from wwinf1g03 ([10.232.37.30]) by mwinf5d27 with ME id 1wxo1v00X0f1gBu03wxoq3; Wed, 29 Mar 2017 22:57:48 +0200 X-ME-Helo: wwinf1g03 X-ME-Auth: bWFydGluLm1hdG9Ab3JhbmdlLmZy X-ME-Date: Wed, 29 Mar 2017 22:57:48 +0200 X-ME-IP: 86.193.79.26 Date: Wed, 29 Mar 2017 22:57:48 +0200 (CEST) From: Martin MATO Reply-To: Martin MATO To: freebsd-pf@freebsd.org Message-ID: <404620925.34894.1490821068262.JavaMail.www@wwinf1g03> In-Reply-To: References: Subject: re: When should I worry about performance tuning? MIME-Version: 1.0 X-Originating-IP: [86.193.79.26] X-WUM-FROM: |~| X-WUM-TO: |~| X-WUM-REPLYTO: |~| Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Mar 2017 20:57:59 -0000 Greetings. I don't understand some things. your machine is a mail relay/server, or you haved a host without any firewa= ll between him and the internet? =C2=A0 In the first case, you'll should prefer setting greylisting / tarpitting at= minimum, feeding a firewall table for blacklisting is a neverending story = (plus, there is some real chance blocking real MX relays). =C2=A0 and in the second case a basic pf configuration blocking any incoming attem= pts like: =C2=A0 set skip lo0 # skipping any filtering on lo0 ext_iface=3D"your_network_card_connected_to_internet" pass out quick on $ext_iface all block log quick on $ext_iface all =C2=A0 should be sufficient. for more information about optimizations,=C2=A0 man (5) pf.conf=C2=A0 shoul= d do the trick. =C2=A0 regards. =C2=A0 > Message du 29/03/17 22:05 > De : "Chris H"=20 > A : "FreeBSD pf"=20 > Copie =C3=A0 :=20 > Objet : When should I worry about performance tuning? >=20 > OK. My association with FreeBSD has made me a prime > target for every male hormone distributor on the net. > Fact is; I can guarantee ~89 SPAM attempts in under 5 > minutes, after creating a pr on bugzilla. At first I > was angry, and frustrated. But decided to make it a > challenge/contest, and see my way to thwarting their > attacks. Long story short; I think I'm on the right > track; In just over a month, I've managed to trap > just under 3 million (2,961,264) *bonafide* SPAM sources. > I've been honing, and tuning my approach to insure that > there are zero false positives, and at the same time, > make it more, and more efficient. > So now that I'm dropping packets from *so* many IP's > I'm wondering if it's not time to better tune pf(4). > I've never worked pf hard enough to do any more than > create a table, and a few simple rules. But I think I > need to do more. > Here's the bulk of what I'm using now: >=20 > ################################### > set loginterface re0 > set block-policy drop > set fingerprints "/etc/pf.os" > scrub in all > set skip on lo0 > antispoof quick for lo0 > antispoof for re0 inet >=20 > table persist file "/etc/SPAMMERS" > block in log quick on re0 proto tcp from to port {smtp, submission, > pop3, imap, imaps} > ################################### >=20 > Would set optimization be warranted? > Any thoughts, or advice greatly appreciated! >=20 > --Chris >=20 >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@freebsd.org Wed Mar 29 21:00:12 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DCEA4D2423E for ; Wed, 29 Mar 2017 21:00:12 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BE9519E6 for ; Wed, 29 Mar 2017 21:00:11 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id v2TL0qKv045165; Wed, 29 Mar 2017 14:00:58 -0700 (PDT) (envelope-from bsd-lists@bsdforge.com) To: "Kristof Provost" Cc: "FreeBSD pf" In-Reply-To: <9C2B6967-4475-4AC9-BA41-6227EF3511F9@sigsegv.be> References: , <9C2B6967-4475-4AC9-BA41-6227EF3511F9@sigsegv.be> From: "Chris H" Subject: Re: When should I worry about performance tuning? Date: Wed, 29 Mar 2017 14:00:58 -0700 Content-Type: text/plain; charset=UTF-8; format=fixed MIME-Version: 1.0 Message-id: Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Mar 2017 21:00:13 -0000 On Wed, 29 Mar 2017 22:19:58 +0200 "Kristof Provost" wrote > On 29 Mar 2017, at 22:06, Chris H wrote: > > OK. My association with FreeBSD has made me a prime > > target for every male hormone distributor on the net. > > Fact is; I can guarantee ~89 SPAM attempts in under 5 > > minutes, after creating a pr on bugzilla. At first I > > was angry, and frustrated. But decided to make it a > > challenge/contest, and see my way to thwarting their > > attacks. Long story short; I think I'm on the right > > track; In just over a month, I've managed to trap > > just under 3 million (2,961,264) *bonafide* SPAM sources. > > I've been honing, and tuning my approach to insure that > > there are zero false positives, and at the same time, > > make it more, and more efficient. > > So now that I'm dropping packets from *so* many IP's > > I'm wondering if it's not time to better tune pf(4). > > I've never worked pf hard enough to do any more than > > create a table, and a few simple rules. But I think I > > need to do more. > > Here's the bulk of what I'm using now: > > > > ################################### > > set loginterface re0 > > set block-policy drop > > set fingerprints "/etc/pf.os" > > scrub in all > > set skip on lo0 > > antispoof quick for lo0 > > antispoof for re0 inet > > > > table persist file "/etc/SPAMMERS" > > block in log quick on re0 proto tcp from to port {smtp, > > submission, > > pop3, imap, imaps} > > ################################### > > > > Would set optimization be warranted? > > Any thoughts, or advice greatly appreciated! > > > If I’m reading the code right the table lookup already uses a radix > table > internally, so I would already expect this to perform as well as it’s > going to. > > Arguably you could just drop all traffic from them on all interfaces, > but I > doubt that’ll make a huge difference. > Thanks for the reply, Kristof! If it makes any difference. All the IP's in the table are in CIDR notation, and are of either www.xxx.yyy.0/24, or www.xxx.yyy.zzz/32 It seemed that would be the most efficient approach -- to me, anyway. :-) Thanks again! --Chris