From owner-freebsd-stable@FreeBSD.ORG Fri Jun 15 17:00:52 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (unknown [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EF6CB106564A for ; Fri, 15 Jun 2012 17:00:51 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-gh0-f182.google.com (mail-gh0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id 976BE8FC15 for ; Fri, 15 Jun 2012 17:00:51 +0000 (UTC) Received: by ghbz22 with SMTP id z22so2906622ghb.13 for ; Fri, 15 Jun 2012 10:00:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=EBlu7XxN1M/mw7ExZ0z2K8uL4feyLrMUzUZEsNjKeTk=; b=DTLtUqDRTQLsLnGLFrLW4JHet9lKB5kiqDqATemybX4xr8wZowGQgYCfrArOBzcwUT bIAGHh6BJgYdHFCNSY9ea/jvCLblfo9FtHVSpNe4k92vCXtwQtvaVW3PuL747lZ9HiGZ LaqR1sQv+m3KKEV1UnSe/RPuUDLZ4KHSrxUGA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-gm-message-state; bh=EBlu7XxN1M/mw7ExZ0z2K8uL4feyLrMUzUZEsNjKeTk=; b=BBQW6y7OrCerLherUYVKA0WYKasaZn0X2fzYry4ooUtvTEGLOpVGTYrP+bm6pBOUPi Q2eb+9HBKFNFkF3I41n05pDtW0h/vZIcIGTSCAque0W5ByCdAU7zntPqgDXzmlak/Scy vHwXBE7CCOlSchP83pdaxaZMgthaCBs8mRhGp2RoT6oUhxV70Mm/ixedRRbVP4fiuiOg mNlOyHVPqurElWbLiWAh6t6X8O9UXN3SZ0AphPAO0RBEJV3mgl2ZeKkZQrYMRdClEAb6 Rs2T95m90p7V7VBJb4CLU4uHbAuu/6Ye2MMzS6CAmGVcV3106idGcVF31Bnjpllo22x2 QnOg== Received: by 10.50.184.135 with SMTP id eu7mr2778974igc.15.1339779650912; Fri, 15 Jun 2012 10:00:50 -0700 (PDT) Received: from DataIX.net (75-128-120-86.dhcp.aldl.mi.charter.com. [75.128.120.86]) by mx.google.com with ESMTPS id ut8sm1716731igc.8.2012.06.15.10.00.50 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 15 Jun 2012 10:00:50 -0700 (PDT) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q5FH0mWs042160 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 15 Jun 2012 13:00:48 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Received: (from jh@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q5FH0mdV042159; Fri, 15 Jun 2012 13:00:48 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Date: Fri, 15 Jun 2012 13:00:48 -0400 From: Jason Hellenthal To: "Shiv. Nath" Message-ID: <20120615170048.GA39970@DataIX.net> References: <4360846ab93b3a2b1968ee0f262cf148.squirrel@mail.digital-infotech.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4360846ab93b3a2b1968ee0f262cf148.squirrel@mail.digital-infotech.net> X-Gm-Message-State: ALoCoQlmgxn67Jk7e4n8jto02STIrWLdS6wXKMDXiuv++7faNR8BGF9SDDxirWjLHJDlyRgI+YoX Cc: freebsd-stable@freebsd.org Subject: Re: PF to Preventing SMTP Brute Force Attacks X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jun 2012 17:00:52 -0000 On Fri, Jun 15, 2012 at 04:17:06PM -0000, Shiv. Nath wrote: > Hi FreeBSD Gurus, > > > i want to use PF to Preventing SMTP Brute Force Attacks. i need some help > to understand correct syntax. > > URL Explaining this: http://www.openbsd.org/faq/pf/filter.html#stateopts > > > i expect the following behavior from the PF rule below: > > Limit the absolute maximum number of states that this rule can create to 200 > > Enable source tracking; limit state creation based on states created by > this rule only > > Limit the maximum number of nodes that can simultaneously create state to 100 > > Limit the maximum number of simultaneous states per source IP to 3 > > Solution: > int0="em0" > trusted_tcp_ports="{22,25,443,465}" > pass in on $int0 proto tcp from any to any port $trusted_tcp_ports keep state (max 200, source-track rule, max-src-nodes 100, max-src-states 3 ) I don't know if max will work here but this is what I use for a sshd rule. pass in log quick proto tcp from any port >1023 to any port 22 flags S/SA keep state (max-src-conn 5, max-src-conn-rate 5/15 overload flush global) You should be using the syntax from pf41 through pf45. The URL you referenced has a syntax that changed in pf46, pf47 onward... -- - (2^(N-1))