From owner-freebsd-questions@FreeBSD.ORG Wed Jun 23 17:59:56 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8B210106564A for ; Wed, 23 Jun 2010 17:59:56 +0000 (UTC) (envelope-from kraduk@googlemail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.159]) by mx1.freebsd.org (Postfix) with ESMTP id 0CBEA8FC08 for ; Wed, 23 Jun 2010 17:59:55 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id l26so1264779fgb.13 for ; Wed, 23 Jun 2010 10:59:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=/S2f0cIHXuFQdhvSEDRmflfNZAcWdyw8RuHgKneexXQ=; b=PGrM4B+NrF0dx5gY7WaMwul7BOtccFVrZzKmjn0u6yschASMn36wQ7GdDBOwRYDH/p stX5Hoda2F3ej/ihX01X0jHj7mRjfNWvOqIO40dToCDSQxmlsnSJCNr3hhbNOIQL3C3c N0jRa0D1LQm4ry8QBDjcZTvKbV2u2KXX01T+k= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=UTdQGKLCnS0Pyg6k7lSLJ0WNxJE7lmBeQNTK1zNQVmFiVwDBEu34xbzWml+IbuqLni x7h2mMKs2FLxhsAi2MVAt4bLn19zP5/poY4dDhJUdpWHQeT+BKJLH301CZaD9f+ztQJE Jmoa8mCOD0KK6Ebw6uwds5ZVzh2MmP34oMWHE= MIME-Version: 1.0 Received: by 10.239.174.14 with SMTP id h14mr615342hbf.108.1277315993779; Wed, 23 Jun 2010 10:59:53 -0700 (PDT) Received: by 10.239.165.129 with HTTP; Wed, 23 Jun 2010 10:59:53 -0700 (PDT) In-Reply-To: <4C2110BD.5060109@locolomo.org> References: <29017079-55A2-406B-891B-6EEB239EF730@mac.com> <4C2110BD.5060109@locolomo.org> Date: Wed, 23 Jun 2010 18:59:53 +0100 Message-ID: From: krad To: Erik Norgaard Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: iptables equivaelnt X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jun 2010 17:59:56 -0000 On 22 June 2010 20:36, Erik Norgaard wrote: > On 21/06/10 20.06, pete wright wrote: > >> On Jun 21, 2010, at 10:28 AM, Jean-Paul Natola wrote: >>> >>>> I'm particuclary trying to implement some type of rate control as we >>>> are getting hammered by spam. >>>> >>> >> I'd humbly suggest pf + spamd if you are concerned specifically about >> stopping spam, both are supported by freebsd and i have had great >> success using these tools to combat spam. >> > > spamd does not stop spam. It is intented to increase the cost of sending > spam at little cost to your server by keeping the spammer busy trying. > > If you're concerned with blocking spam from a limited set of known source= s, > then you can create block lists in your firewall. If you know that you wi= ll > not receive legitimate mails from certain countries, you can block their > assigned IP ranges. > > If you're trying to block large number of unknown sources, then I suggest > subscribing to spamhaus' lists and configure your server to adhere strict= ly > to the protocols. > > You may wish to subscribe to lists of dynamic ip-ranges. These are often > considered spam sources hosting a large number of bot-nets However, you = may > also block mail from legitimate servers run by people who like to run the= ir > own home server - such as FreeBSD users. > > There is only limited benefit of some kind of rate control and I believe > that such controls must be implemented in your mail server. Implementing > rate control mail also delay legitimate mail, and depending on how you do > it, spammers may even cause a DOS against your server. > > Anyway, to avoid spammers eating up server resources, check your server > config: > > 1. ensure that the spam decision is reached as fast as possible > 2. consider early whitelisting of the most common legitimate mail sources > 3. DNS block lists should be last as they add additional delay, possibly > you can configure a local dns cache to shorten delay > > BR, Erik > -- > Erik N=F8rgaard > Ph: +34.666334818/+34.915211157 http://www.locolomo.org > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > true spamd doesnt block spam it rates it. However these ratings on host can be used to build an ip list which can be applied to a pf table.