From owner-freebsd-pf@freebsd.org Fri Mar 31 22:50:04 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C176AD271C8 for ; Fri, 31 Mar 2017 22:50:04 +0000 (UTC) (envelope-from dave@horsfall.org) Received: from viclamta40p.bpe.bigpond.com (viclamta40p.bpe.bigpond.com [203.38.21.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "", Issuer "Openwave Messaging Inc." (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id A2ED98C9 for ; Fri, 31 Mar 2017 22:50:00 +0000 (UTC) (envelope-from dave@horsfall.org) Received: from smtp.telstra.com ([10.10.26.4]) by viclafep25p-svc.bpe.nexus.telstra.com.au with ESMTP id <20170331212942.LNXE14449.viclafep25p-svc.bpe.nexus.telstra.com.au@smtp.telstra.com> for ; Sat, 1 Apr 2017 08:29:42 +1100 X-RG-Spam: Suspect X-Junkmail-Premium-Raw: score=74/83, refid=2.7.2:2017.3.31.204217:17:74.077, ip=110.141.193.233, rules=__HAS_FROM, __TO_MALFORMED_2, __TO_NAME, __TO_NAME_DIFF_FROM_ACC, __SUBJ_ALPHA_END, __HAS_MSGID, __SANE_MSGID, __USER_AGENT, __MIME_VERSION, __CT, __CT_TEXT_PLAIN, __ANY_URI, INFO_TLD, __URI_NO_WWW, __CP_NAME_BODY, __NO_HTML_TAG_RAW, BODY_SIZE_1100_1199, BODYTEXTP_SIZE_3000_LESS, __MIME_TEXT_P1, __MIME_TEXT_ONLY, RDNS_GENERIC_POOLED, __URI_NS, SXL_URI[manualpratico.info.uri], HTML_00_01, HTML_00_10, BODY_SIZE_5000_LESS, RDNS_SUSP_GENERIC, __TO_REAL_NAMES, BODY_SIZE_2000_LESS, RDNS_SUSP, __MIME_TEXT_P, NO_URI_HTTPS, BODY_SIZE_7000_LESS Received: from aneurin.horsfall.org (110.141.193.233) by smtp.telstra.com (9.0.019.015-1) id 58C94D650356265E for freebsd-pf@freebsd.org; Sat, 1 Apr 2017 08:29:42 +1100 Received: from aneurin.horsfall.org (localhost [127.0.0.1]) by aneurin.horsfall.org (8.15.2/8.15.2) with ESMTP id v2VLTfkV081877 for ; Sat, 1 Apr 2017 08:29:41 +1100 (EST) (envelope-from dave@horsfall.org) Received: from localhost (dave@localhost) by aneurin.horsfall.org (8.15.2/8.15.2/Submit) with ESMTP id v2VLTf3O081874 for ; Sat, 1 Apr 2017 08:29:41 +1100 (EST) (envelope-from dave@horsfall.org) X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs Date: Sat, 1 Apr 2017 08:29:41 +1100 (EST) From: Dave Horsfall To: FreeBSD PF List Subject: Getting auto-block to work Message-ID: User-Agent: Alpine 2.20 (BSF 67 2015-01-07) X-Home-Page: http://www.horsfall.org/ X-Witty-Saying: "chmod 666 the_mode_of_the_beast" MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Mar 2017 22:50:04 -0000 Does anyone have a PF rule that actually blocks woodpeckers? I have this rule: pass inet proto tcp from any to any port smtp \ flags S/SA keep state \ (max-src-conn 10, max-src-conn-rate 2/20, \ overload flush global) I understand that as being no more than twice in twenty seconds (which is amply generous by my reading of the RFC), but it's not working; for example, the latest problem-child is: Date: Mar 31 00:04:10 (v2UD3uT2070289) from= relay=server1.manualpratico.info [186.251.128.25] reject=450 4.7.1 ... I greylist .info Date: Mar 31 00:14:25 (v2UDEBaT070308) from= relay=server1.manualpratico.info [186.251.128.25] reject=450 4.7.1 ... I greylist .info continuing every 15 seconds (and I've seen much worse) which I have manually blocked ("pfctl -t woodpeckers -T add 186.251.128.25", but isn't PF supposed to do that for me? (And yes, Sendmail also has this non-working "feature", but that's OT.) -- Dave Horsfall DTM (VK2KFU) "Those who don't understand security will suffer."