SPAMD stop passing mail from WHITE-list
eculp at encontacto.net
eculp at encontacto.net
Sun Feb 11 14:54:07 UTC 2007
Quoting Volker <volker at vwsoft.com>:
> Ed,
>
<SNIP />
Hi Volker,
I just set up a machine using your suggestions, correctly I hope ;)
> Nope, that's the wrong way. You let pass smtp (by a quick rule) but
> the block rule is after that. That is rendering your blocklist
> useless as all traffic is passing by the first rule.
>
> AFAIK the first connection causing an overload is being dropped but
> subsequent connections are still passing (as long as they don't
> overload).
>
> It should look like:
>
> block drop in quick on $ext_if from <blockhosts> to any
>
> pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp
> keep state ( max-src-conn [ANYVAL], max-src-conn-rate
> [ANYVAL]/[ANYTIME], overload <blockhosts> flush global )
I have set it up as:
block drop in quick on $ext_if from <blocksmtp> to any
pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp
keep state \
( max-src-conn 5, max-src-conn-rate 80/90, overload <blocksmtp>
flush global )
I'm still not flushing the table with tableexpire as I do with my
bruteforce ssh table from crontab. I want to evaluate the entries for
a while first.
I chose max-src-conn 5 because that is the max number of connections
per IP in courier. I assume that should work and if I change it, I
would think that I should probably change the courier esmtpd
configuration also. Time will tell I guess.
> Whenever any host is overloading ssh or smtp access, I'm loading
> their IP address into the blockhosts table and so the machine will
> never again talk to that IP address (forever!). You may want to do
> it different (for example flushing the table once a week or at
> midnight). One machine running this for months has already blocked
> 1400 IP addresses and as far as I've checked, all have been dynamic
> zombies (no regular mail clients have been blocked by that).
> I haven't found a way to use that mechanism to block such hosts for,
> say 120 minutes (which would be a great feature).
For my ssh-bruteforce table I am using a crontab entry to expire the
entries every 30 minutes. Just in case I shoot myself in the foot,
the pain is reduced to half an hour. ;)
*/30 * * * * root \
/usr/local/sbin/expiretable -t 3600 ssh-bruteforce >/dev/null 2&>1
Thanks so much for sharing your configuration and advice.
ed
>
>> Could it work and be controlable or would it make a bad situation worse?
>
> You may use a blocking mechanism like that for any other host
> service, too. If you're going to use that for UDP "connections" you
> should be aware that they're connectionless and so options like "
> max-src-connXXX" don't match here.
>
> HTH,
>
> Volker
>
More information about the freebsd-pf
mailing list