SPAMD stop passing mail from WHITE-list

Volker volker at vwsoft.com
Sun Feb 11 16:56:12 UTC 2007 

Ed,

On 02/11/07 15:54, eculp at encontacto.net wrote:
> Quoting Volker <volker at vwsoft.com>:
> 
> I just set up a machine using your suggestions, correctly I hope ;)
> I have set it up as:
> 
> block drop in quick on $ext_if from <blocksmtp> to any
> 
> pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp keep
> state \
>  ( max-src-conn 5, max-src-conn-rate 80/90, overload <blocksmtp> flush
> global )
> 
> I'm still not flushing the table with tableexpire as I do with my
> bruteforce ssh table from crontab.  I want to evaluate the entries for a
> while first.
> 
> I chose max-src-conn 5 because that is the max number of connections per
> IP in courier.  I assume that should work and if I change it, I would
> think that I should probably change the courier esmtpd configuration
> also.  Time will tell I guess.

Your rules are looking good so far. For the max-src-conn value you
have to check what value will be best for you. If you're using any
other server as a backup MX and you're final destination, a value of
5 may be bad as postfix (for example) is using 5 as a concurrency
destination limit per default which might easily blow your overload
rule and your backup MX might get blocked. You should check if that
value really works for you so as to have not legitimate hosts being
blocked.

>> I haven't found a way to use that mechanism to block such hosts for,
>> say 120 minutes (which would be a great feature).
> 
> For my ssh-bruteforce table I am using a crontab entry to expire the
> entries every 30 minutes.  Just in case I shoot myself in the foot, the
> pain is reduced to half an hour. ;)
> 
> */30    *       *       *       *       root    \
>   /usr/local/sbin/expiretable -t 3600 ssh-bruteforce >/dev/null 2&>1

It's ok if it does fit your needs but remember if a host is being
blocked by your overload rules at 12:29 it's getting unblocked at
12:30. I haven't checked expiretable (really had it forgotten) which
might be a better solution as far as I remember expiretable right
from the ML discussion.

> Thanks so much for sharing your configuration and advice.

You're welcome!

I've just written a small periodic script to have newly blocked IP
addresses being visible in the daily security report.

If you'll want to use it, change the table name and copy the file to
/usr/local/etc/periodic/security/... and chmod it executable:


/usr/local/etc/periodic/security/710.blockedhosts:
#!/bin/sh
# show changes in IP addresses being blocked by pf

# If there is a global system configuration file, suck it in.
if [ -r /etc/defaults/periodic.conf ]
then
    . /etc/defaults/periodic.conf
    source_periodic_confs
fi

. /etc/periodic/security/security.functions

rc=0

blocktable=${blocktable-"blockhosts"}
cmd=${cmd-"pfctl -t ${blocktable} -Ts"}
nc=`${cmd} | wc -l`

${cmd} | check_diff blockhosts - "${host} blocking host changes
(total ${nc} IP):"
#EOF

Greetings,

Volker

More information about the freebsd-pf mailing list