Rate-limiting in PF
Dave Horsfall
dave at horsfall.org
Sun Oct 1 02:11:43 UTC 2017
10.3-RELEASE-p21
I am trying to restrict woodpecker attempts to my mail server (stupid
spamware regards rejects and a long banner it as a challenge), and
following advice on this list I used the following (the important bit,
anyway):
#
# No more than 10/IP, or 5/m should be plenty.
#
pass inet proto tcp from any to any port smtp \
flags S/SA keep state \
(max-src-conn 10, max-src-conn-rate 5/60, \
overload <woodpeckers> flush global)
And here is a sample log; I can see that the 10/IP works, but the 5/m does
not seem to be blocking the 10s attempts:
Oct 1 09:40:44 aneurin sm-mta[73002]: v8UMeZml073002: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Oct 1 09:40:55 aneurin sm-mta[73003]: v8UMejQm073003: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Oct 1 09:41:06 aneurin sm-mta[73004]: v8UMeuVT073004: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Oct 1 09:41:17 aneurin sm-mta[73005]: v8UMf6gp073005: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Oct 1 09:41:28 aneurin sm-mta[73006]: v8UMfH58073006: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Oct 1 09:41:40 aneurin sm-mta[73007]: v8UMfTfK073007: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Oct 1 09:41:52 aneurin sm-mta[73008]: v8UMfgXH073008: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Oct 1 09:42:03 aneurin sm-mta[73010]: v8UMfrxc073010: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Oct 1 09:42:14 aneurin sm-mta[73011]: v8UMg4x4073011: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Oct 1 09:42:25 aneurin sm-mta[73012]: v8UMgFNw073012: [196.196.27.126] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
What have I done wrong? Does max-src-conn-rate actually work?
--
Dave Horsfall DTM (VK2KFU) "Those who don't understand security will suffer."
More information about the freebsd-pf
mailing list