SPAMD stop passing mail from WHITE-list
eculp at encontacto.net
eculp at encontacto.net
Mon Feb 12 10:09:29 UTC 2007
Quoting Volker <volker at vwsoft.com>:
> Ed,
>
> On 02/11/07 15:54, eculp at encontacto.net wrote:
>> Quoting Volker <volker at vwsoft.com>:
>>
>> I just set up a machine using your suggestions, correctly I hope ;)
>> I have set it up as:
>>
>> block drop in quick on $ext_if from <blocksmtp> to any
>>
>> pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp keep
>> state \
>> ( max-src-conn 5, max-src-conn-rate 80/90, overload <blocksmtp> flush
>> global )
>>
>> I'm still not flushing the table with tableexpire as I do with my
>> bruteforce ssh table from crontab. I want to evaluate the entries for a
>> while first.
>>
>> I chose max-src-conn 5 because that is the max number of connections per
>> IP in courier. I assume that should work and if I change it, I would
>> think that I should probably change the courier esmtpd configuration
>> also. Time will tell I guess.
>
> Your rules are looking good so far. For the max-src-conn value you
> have to check what value will be best for you. If you're using any
> other server as a backup MX and you're final destination, a value of
> 5 may be bad as postfix (for example) is using 5 as a concurrency
> destination limit per default which might easily blow your overload
> rule and your backup MX might get blocked. You should check if that
> value really works for you so as to have not legitimate hosts being
> blocked.
Hi Volker,
I'm keeping my eye on that, thanks,
>>> I haven't found a way to use that mechanism to block such hosts for,
>>> say 120 minutes (which would be a great feature).
>>
>> For my ssh-bruteforce table I am using a crontab entry to expire the
>> entries every 30 minutes. Just in case I shoot myself in the foot, the
>> pain is reduced to half an hour. ;)
>>
>> */30 * * * * root \
>> /usr/local/sbin/expiretable -t 3600 ssh-bruteforce >/dev/null 2&>1
>
> It's ok if it does fit your needs but remember if a host is being
> blocked by your overload rules at 12:29 it's getting unblocked at
> 12:30. I haven't checked expiretable (really had it forgotten) which
> might be a better solution as far as I remember expiretable right
> from the ML discussion.
It was/is a bit confusing but according to the examples in the manual
and in my testing a few months ago for ssh bruteforce, it seems to
work as the
EXAMPLES
The following removes any entries in table int.users older than one hour:
# expiretable -v -t 3600 int.users
This example removes any entries in table int.users older than one and a
half hour:
# expiretable -v -t 1h30m int.users
I'm not using it yet for smtp but probably will eventually but with a
minimum of a few days,
>
>> Thanks so much for sharing your configuration and advice.
>
> You're welcome!
>
> I've just written a small periodic script to have newly blocked IP
> addresses being visible in the daily security report.
>
> If you'll want to use it, change the table name and copy the file to
> /usr/local/etc/periodic/security/... and chmod it executable:
>
>
> /usr/local/etc/periodic/security/710.blockedhosts:
> #!/bin/sh
> # show changes in IP addresses being blocked by pf
>
> # If there is a global system configuration file, suck it in.
> if [ -r /etc/defaults/periodic.conf ]
> then
> . /etc/defaults/periodic.conf
> source_periodic_confs
> fi
>
> . /etc/periodic/security/security.functions
>
> rc=0
>
> blocktable=${blocktable-"blockhosts"}
> cmd=${cmd-"pfctl -t ${blocktable} -Ts"}
> nc=`${cmd} | wc -l`
>
> ${cmd} | check_diff blockhosts - "${host} blocking host changes
> (total ${nc} IP):"
> #EOF
>
I was still missing the script and am going to install it now.
Thanks
ed
P.S. The smtp settings seem to be working as expected so far.
> Greetings,
>
> Volker
>
>
>
>
More information about the freebsd-pf
mailing list