Rate-limiting in PF

Max maximos at als.nnov.ru
Thu Oct 5 04:43:41 UTC 2017 

I think, it is exactly 5 connections per 60 seconds.

What does "pfctl -sS | grep 114.100.182.206" show?


05.10.2017 1:02, Dave Horsfall пишет:
> On Sun, 1 Oct 2017, Dave Horsfall wrote:
>
>> 10.3-RELEASE-p21
>>
>> I am trying to restrict woodpecker attempts to my mail server (stupid 
>> spamware regards rejects and a long banner it as a challenge), and 
>> following advice on this list I used the following (the important 
>> bit, anyway):
>>
>>    #
>>    # No more than 10/IP, or 5/m should be plenty.
>>    #
>>    pass inet proto tcp from any to any port smtp \
>>     flags S/SA keep state \
>>     (max-src-conn 10, max-src-conn-rate 5/60, \
>>     overload <woodpeckers> flush global)
>
> The max-src-conn-rate does not work according to the sample that I 
> posted, and now I am having severe doubts about max-src-conn after all:
>
> Oct  4 14:21:04 aneurin sm-mta[88518]: v943Ksrr088518: 
> [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection 
> to IPv4
> Oct  4 14:21:15 aneurin sm-mta[88519]: v943L4EC088519: 
> [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection 
> to IPv4
> Oct  4 14:21:25 aneurin sm-mta[88520]: v943LFfa088520: 
> [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection 
> to IPv4
> Oct  4 14:21:36 aneurin sm-mta[88521]: v943LQHr088521: 
> [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection 
> to IPv4
> Oct  4 14:21:47 aneurin sm-mta[88522]: v943LanO088522: 
> [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection 
> to IPv4
>
> [...]
>
> Oct  4 15:50:57 aneurin sm-mta[89297]: v944okM0089297: 
> [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection 
> to IPv4
> Oct  4 15:51:07 aneurin sm-mta[89298]: v944ovWd089298: 
> [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection 
> to IPv4
> Oct  4 15:51:18 aneurin sm-mta[89299]: v944p8xQ089299: 
> [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection 
> to IPv4
> Oct  4 15:51:29 aneurin sm-mta[89300]: v944pImO089300: 
> [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection 
> to IPv4
> Oct  4 15:51:40 aneurin sm-mta[89301]: v944pTG2089301: 
> [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection 
> to IPv4
>
> There were 498 in all.  So, does the rate-limiting work and I am doing 
> something wrong, or does it not work but is documented, and thus is 
> vapourware?
>

More information about the freebsd-pf mailing list