From owner-freebsd-pf@freebsd.org Wed Mar 29 23:53:08 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1D01DD24D16 for ; Wed, 29 Mar 2017 23:53:08 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F16488F5 for ; Wed, 29 Mar 2017 23:53:07 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id v2TNrmLG099795; Wed, 29 Mar 2017 16:53:54 -0700 (PDT) (envelope-from bsd-lists@bsdforge.com) To: FreeBSD PF List , Dave Horsfall In-Reply-To: References: <404620925.34894.1490821068262.JavaMail.www@wwinf1g03>, From: "Chris H" Subject: Re: When should I worry about performance tuning? Date: Wed, 29 Mar 2017 16:53:54 -0700 Content-Type: text/plain; charset=UTF-8; format=fixed MIME-Version: 1.0 Message-id: <773b235971b4a8fa34d084222e018b4b@ultimatedns.net> Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Mar 2017 23:53:08 -0000 On Thu, 30 Mar 2017 08:20:55 +1100 (EST) Dave Horsfall wrote > On Wed, 29 Mar 2017, Martin MATO wrote: > > > In the first case, you'll should prefer setting greylisting / tarpitting > > at minimum, feeding a firewall table for blacklisting is a neverending > > story (plus, there is some real chance blocking real MX relays). > > A judicious selection of DNSBLs and enforcement of RFC-compliance etc do > the trick for me; I block several hundred attempts each day, with very few > false positives and hardly any getting through (and I don't mind wasting > SMTP cycles). I'm currently blocking (filtering) several hundred/hr > > And was the OP really blocking only a few ports and allowing the rest? Nope. Blocking all unused ports && filtering on the rest. :-) > If so, that's backwards to good practice. Indeed. I couldn't agree more. --Chris > > -- > Dave Horsfall DTM (VK2KFU) "Those who don't understand security will > suffer." _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"