From owner-freebsd-pf@FreeBSD.ORG Thu May 31 16:41:04 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0C8D316A400 for ; Thu, 31 May 2007 16:41:04 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.230]) by mx1.freebsd.org (Postfix) with ESMTP id ACD4513C4AD for ; Thu, 31 May 2007 16:41:03 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by wr-out-0506.google.com with SMTP id 70so191713wra for ; Thu, 31 May 2007 09:41:03 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=OswBUd3aOtEU9G5mTv1aY2+aDfBGB5VI6wrNIhgA7e2/XWYcIgtgl2ah9jLTqRkWjPpxKbclb4RuJ2uupnzD4gvmcJwKpmZwEfIspwFNxMm91kbhxg61dwYYBuFk7Pfe6BeZafCIna3htWaxjs3wy8CbCK4PGCv1/G0t65TbGaA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=fyfMzX2ZHEcDYw4ogNwSaaFvCkUgURQdSoesJr7FcjsCqE/UTBs8CFcFI4LOSkgCfunqNCeY2dz4tS3InGdJK72QMKRTxRy3sfMDraqlaL8Ri4VRx+6x4vRCERbIZljnoP+4fZaYTk76jjLLB5TDervuy4yGYeVoYrtw8CrWrkY= Received: by 10.90.78.9 with SMTP id a9mr802497agb.1180629662935; Thu, 31 May 2007 09:41:02 -0700 (PDT) Received: by 10.90.66.12 with HTTP; Thu, 31 May 2007 09:41:02 -0700 (PDT) Message-ID: <70f41ba20705310941l62a95d98s22651e2ec5fed7fb@mail.gmail.com> Date: Thu, 31 May 2007 09:41:02 -0700 From: snowcrash Sender: schneecrash@gmail.com To: freebsd-pf MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Google-Sender-Auth: d43f83def377a54e Subject: how best to block this port 25 traffic/spam? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: schneecrash+pf@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 May 2007 16:41:04 -0000 hi, i use fbsd 6.2-release/p5's pf + spamd v4.1.1 to manage port 25 traffic. in my pf.conf, i've ... set require-order no ... nat on $extif from $intif:network to any -> ($extif) ... no rdr on $extif from to any tag MXbl block log quick tagged MXbl label "(MXbl)" ... rdr on $extif proto tcp from to $MXwan port 25 -> $MXlan port 25 rdr pass on $extif proto tcp from to ($extif) port 25 -> 127.0.0.1 port 8025 rdr pass on $extif proto tcp from ! to ($extif) port 25 -> 127.0.0.1 port 8025 rdr on $extif proto tcp from to $MXwan port 25 -> $MXlan port 25 ... pass in log quick on $extif proto tcp from { , } to $MXlan port 25 keep-state pass out log quick on $extif proto tcp from any to any port 25 keep-state pass out log quick on $intif proto tcp from $MXlan to any port 25 keep-state ... all works great! in my spamd logs, i'm seeing lots of May 31 09:29:27 edge6 spamd[416]: (GREY) 208.104.144.37: -> May 31 09:29:27 edge6 spamd[416]: (GREY) 208.104.144.37: -> May 31 09:29:27 edge6 spamd[416]: (GREY) 208.104.144.37: -> characterized by, (1) forged FROM: @hotmail.com (2) multiple connections per second from a given IP (3) 100% of the IPs are in Spamhaus PBL &/or CBL dnsbls; anything that _does_ sneak past the spamd stutter etc gets dropped anyway. i'd LIKE to simply BLOCK, with NO logging, these nosiy, from-@-hotmail connections at the fw PRIOR to spamd ever seeing them. iiuc, my options to do so include: (a) install a small SMTP server on the router to ONLY reject at CBL *prior* to passing on to spamd (b) use the same SMTP server to reject FROM: == *@hotmail (b) DL/rsync the whole CBL into a local pf/spamd table (c) throttle # of connections / second, and add to pf block element if match/exceed thoughts/comments on the 'best' approach? thanks!