From owner-freebsd-stable@FreeBSD.ORG Fri Jun 15 17:12:52 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (unknown [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CD65E106564A for ; Fri, 15 Jun 2012 17:12:52 +0000 (UTC) (envelope-from paul@gromit.dlib.vt.edu) Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.162.213]) by mx1.freebsd.org (Postfix) with ESMTP id 80BF28FC08 for ; Fri, 15 Jun 2012 17:12:52 +0000 (UTC) Received: from dagger.cc.vt.edu (dagger.cc.vt.edu [198.82.163.114]) by lennier.cc.vt.edu (8.13.8/8.13.8) with ESMTP id q5FHCfMT000324; Fri, 15 Jun 2012 13:12:41 -0400 Received: from auth3.smtp.vt.edu (EHLO auth3.smtp.vt.edu) ([198.82.161.152]) by dagger.cc.vt.edu (MOS 4.3.3-GA FastPath queued) with ESMTP id VUE73035; Fri, 15 Jun 2012 13:12:41 -0400 (EDT) Received: from pmather.tower.lib.vt.edu (pmather.tower.lib.vt.edu [128.173.51.28]) (authenticated bits=0) by auth3.smtp.vt.edu (8.13.8/8.13.8) with ESMTP id q5FHCfTA026333 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 15 Jun 2012 13:12:41 -0400 Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Paul Mather X-Priority: 3 (Normal) In-Reply-To: <98c09d7edf95e0e07910e7e5ce46accc.squirrel@mail.digital-infotech.net> Date: Fri, 15 Jun 2012 13:12:41 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: <1CAF986C-46CC-4D8D-B18F-A208796483EF@gromit.dlib.vt.edu> References: <4360846ab93b3a2b1968ee0f262cf148.squirrel@mail.digital-infotech.net> <4FDB6490.8080509@infracaninophile.co.uk> <98c09d7edf95e0e07910e7e5ce46accc.squirrel@mail.digital-infotech.net> To: prabhpal@digital-infotech.net X-Mailer: Apple Mail (2.1084) X-Mirapoint-Received-SPF: 198.82.161.152 auth3.smtp.vt.edu paul@gromit.dlib.vt.edu 5 none X-Junkmail-Status: score=10/50, host=dagger.cc.vt.edu X-Junkmail-Signature-Raw: score=unknown, refid=str=0001.0A02020A.4FDB6D09.0126,ss=1,re=0.000,fgs=0, ip=0.0.0.0, so=2011-07-25 19:15:43, dmn=2011-05-27 18:58:46, mode=single engine X-Junkmail-IWF: false Cc: freebsd-stable@freebsd.org Subject: Re: PF to Preventing SMTP Brute Force Attacks X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jun 2012 17:12:52 -0000 On Jun 15, 2012, at 12:55 PM, Shiv. Nath wrote: > # START > table bruteforce persist > block in log quick from bruteforce >=20 > pass in on $ext_if proto tcp \ > from any to $ext_if port $trusted_tcp_ports \ > flags S/SA keep state \ > (max-src-conn-rate 3/300, overload bruteforce flush global) >=20 > # END >=20 > AND CRON: > */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 = >/dev/null > 2>&1 >=20 > What is the function "expire 604800" are they entries in the table? > should it be -t bruteforce or -t ssh-bruteforce It refers to entries in the table specified by the "-t" option and = instructs pf to expire (remove from the table) all entries older than = the specified time (in seconds). Basically, the value 604800 will = expire entries older than 1 week. For the above pf rules, the cron entry should be "-t bruteforce" = (although in the pf rules you should be using ""). Cheers, Paul.