From owner-freebsd-pf@FreeBSD.ORG  Tue Aug 25 15:14:00 2009
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EC79A1065693
	for <freebsd-pf@freebsd.org>; Tue, 25 Aug 2009 15:14:00 +0000 (UTC)
	(envelope-from peter@bsdly.net)
Received: from skapet.bsdly.net (cl-426.sto-01.se.sixxs.net
	[IPv6:2001:16d8:ff00:1a9::2])
	by mx1.freebsd.org (Postfix) with ESMTP id A42BF8FC28
	for <freebsd-pf@freebsd.org>; Tue, 25 Aug 2009 15:14:00 +0000 (UTC)
Received: from fcnoos-fw03.freecode.no ([88.87.57.60]
	helo=thingy.bsdly.net.bsdly.net)
	by skapet.bsdly.net with esmtp (Exim 4.69)
	(envelope-from <peter@bsdly.net>) id 1Mfxih-0002dz-1Z
	for freebsd-pf@freebsd.org; Tue, 25 Aug 2009 17:13:59 +0200
To: freebsd-pf@freebsd.org
References: <a2b6592c0908221807q24e7f54aka75b561debca63eb@mail.gmail.com>
From: peter@bsdly.net (Peter N. M. Hansteen)
Date: Tue, 25 Aug 2009 17:13:27 +0200
In-Reply-To: <a2b6592c0908221807q24e7f54aka75b561debca63eb@mail.gmail.com>
	(Igor Mozolevsky's message of "Sun, 23 Aug 2009 02:07:23 +0100")
Message-ID: <87eir0sz8o.fsf@thingy.bsdly.net>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: Re: something like bruteblock for pf?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Aug 2009 15:14:01 -0000

Igor Mozolevsky <mozolevsky@gmail.com> writes:

>> I've used bruteblock, which manages ipfw, for blocking SMTP attackers and reducing smtp connects by 10s of 1000s per day.
>
> [snip]
>
>> Anybody know of anything similar for pf?
>
> http://www.bgnett.no/~peter/pf/en/spamd.setup.html

OP more likely wants something like state tracking with overload
tables, ie http://home.nuug.no/~peter/pf/en/bruteforce.html or similar
(yes, please update your bookmarks to point to the nuug site, the
bgnett one is getting stale).

It's worth noting that the overload tables method is not limited to
specific services as long as you can dream up sensible criteria and
some useful action to take on the hosts that end up in the overload
list.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.