From owner-freebsd-pf@FreeBSD.ORG Sun Feb 11 16:56:12 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DA19916A401 for ; Sun, 11 Feb 2007 16:56:12 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 767E513C478 for ; Sun, 11 Feb 2007 16:56:11 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d91.q.ppp-pool.de [89.53.125.145]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 43789128841; Sun, 11 Feb 2007 17:56:05 +0100 (CET) Received: from [192.168.18.3] (unknown [192.168.18.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 20BBA2E568; Sun, 11 Feb 2007 17:55:45 +0100 (CET) Message-ID: <45CF4A96.9030304@vwsoft.com> Date: Sun, 11 Feb 2007 17:55:50 +0100 From: Volker User-Agent: Thunderbird 1.5.0.9 (X11/20070119) MIME-Version: 1.0 To: "eculp@encontacto.net" References: <45C5D5DB.9050407@vwsoft.com> <20070208111755.81jaocgn4w880k4g@correo.encontacto.net> <45CC707C.5030608@vwsoft.com> <20070211085403.70hvjlstbks0wk8g@correo.encontacto.net> In-Reply-To: <20070211085403.70hvjlstbks0wk8g@correo.encontacto.net> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: SPAMD stop passing mail from WHITE-list X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Feb 2007 16:56:12 -0000 Ed, On 02/11/07 15:54, eculp@encontacto.net wrote: > Quoting Volker : > > I just set up a machine using your suggestions, correctly I hope ;) > I have set it up as: > > block drop in quick on $ext_if from to any > > pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp keep > state \ > ( max-src-conn 5, max-src-conn-rate 80/90, overload flush > global ) > > I'm still not flushing the table with tableexpire as I do with my > bruteforce ssh table from crontab. I want to evaluate the entries for a > while first. > > I chose max-src-conn 5 because that is the max number of connections per > IP in courier. I assume that should work and if I change it, I would > think that I should probably change the courier esmtpd configuration > also. Time will tell I guess. Your rules are looking good so far. For the max-src-conn value you have to check what value will be best for you. If you're using any other server as a backup MX and you're final destination, a value of 5 may be bad as postfix (for example) is using 5 as a concurrency destination limit per default which might easily blow your overload rule and your backup MX might get blocked. You should check if that value really works for you so as to have not legitimate hosts being blocked. >> I haven't found a way to use that mechanism to block such hosts for, >> say 120 minutes (which would be a great feature). > > For my ssh-bruteforce table I am using a crontab entry to expire the > entries every 30 minutes. Just in case I shoot myself in the foot, the > pain is reduced to half an hour. ;) > > */30 * * * * root \ > /usr/local/sbin/expiretable -t 3600 ssh-bruteforce >/dev/null 2&>1 It's ok if it does fit your needs but remember if a host is being blocked by your overload rules at 12:29 it's getting unblocked at 12:30. I haven't checked expiretable (really had it forgotten) which might be a better solution as far as I remember expiretable right from the ML discussion. > Thanks so much for sharing your configuration and advice. You're welcome! I've just written a small periodic script to have newly blocked IP addresses being visible in the daily security report. If you'll want to use it, change the table name and copy the file to /usr/local/etc/periodic/security/... and chmod it executable: /usr/local/etc/periodic/security/710.blockedhosts: #!/bin/sh # show changes in IP addresses being blocked by pf # If there is a global system configuration file, suck it in. if [ -r /etc/defaults/periodic.conf ] then . /etc/defaults/periodic.conf source_periodic_confs fi . /etc/periodic/security/security.functions rc=0 blocktable=${blocktable-"blockhosts"} cmd=${cmd-"pfctl -t ${blocktable} -Ts"} nc=`${cmd} | wc -l` ${cmd} | check_diff blockhosts - "${host} blocking host changes (total ${nc} IP):" #EOF Greetings, Volker