SPAMD stop passing mail from WHITE-list

eculp at encontacto.net eculp at encontacto.net
Sun Feb 11 14:54:07 UTC 2007 

Quoting Volker <volker at vwsoft.com>:

> Ed,
>
<SNIP />

Hi Volker,

I just set up a machine using your suggestions, correctly I hope ;)

> Nope, that's the wrong way. You let pass smtp (by a quick rule) but
> the block rule is after that. That is rendering your blocklist
> useless as all traffic is passing by the first rule.
>
> AFAIK the first connection causing an overload is being dropped but
> subsequent connections are still passing (as long as they don't
> overload).
>
> It should look like:
>
> block drop in quick on $ext_if from <blockhosts> to any
>
> pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp
> keep state ( max-src-conn [ANYVAL], max-src-conn-rate
> [ANYVAL]/[ANYTIME], overload <blockhosts> flush global )

I have set it up as:

block drop in quick on $ext_if from <blocksmtp> to any

pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp  
keep state \
  ( max-src-conn 5, max-src-conn-rate 80/90, overload <blocksmtp>  
flush global )

I'm still not flushing the table with tableexpire as I do with my  
bruteforce ssh table from crontab.  I want to evaluate the entries for  
a while first.

I chose max-src-conn 5 because that is the max number of connections  
per IP in courier.  I assume that should work and if I change it, I  
would think that I should probably change the courier esmtpd  
configuration also.  Time will tell I guess.
> Whenever any host is overloading ssh or smtp access, I'm loading
> their IP address into the blockhosts table and so the machine will
> never again talk to that IP address (forever!). You may want to do
> it different (for example flushing the table once a week or at
> midnight). One machine running this for months has already blocked
> 1400 IP addresses and as far as I've checked, all have been dynamic
> zombies (no regular mail clients have been blocked by that).

> I haven't found a way to use that mechanism to block such hosts for,
> say 120 minutes (which would be a great feature).

For my ssh-bruteforce table I am using a crontab entry to expire the  
entries every 30 minutes.  Just in case I shoot myself in the foot,  
the pain is reduced to half an hour. ;)

*/30    *       *       *       *       root    \
   /usr/local/sbin/expiretable -t 3600 ssh-bruteforce >/dev/null 2&>1

Thanks so much for sharing your configuration and advice.

ed
>
>> Could it work and be controlable or would it make a bad situation worse?
>
> You may use a blocking mechanism like that for any other host
> service, too. If you're going to use that for UDP "connections" you
> should be aware that they're connectionless and so options like "
> max-src-connXXX" don't match here.
>
> HTH,
>
> Volker
>

More information about the freebsd-pf mailing list