pf overload for SMTP (was: Thousands of ssh probes)

John john at
Fri Mar 5 16:35:09 UTC 2010

On Fri, Mar 05, 2010 at 04:01:32PM +0000, Matthew Seaman wrote:
> Hash: SHA1
> On 05/03/2010 15:44:39, John wrote:
> > Maybe I'll have to learn how to do a VPN from FreeBSD....
> > 
> > One thought that occurs to me is that pf tables would provide a
> > direct API without having to hit a database.
> > 
> > I think I really like this.  I may have to implement it for pf. 
> > It should be really easy with CGI and calls to pfctl.
> There's already a mechanism whereby you can connect into a PF firewall
> and have it open up extra access for you, all controlled by ssh keys.
> See:
> Not only that, but you can dynamically block brute force attempts to
> crack SSH passwords using just PF -- no need to scan through auth.log or
> use an external database.  You need something like this in pf.conf:
> table <ssh-bruteforce> persist
> [...near the top of the rules section...]
> block drop in log quick on $ext_if from <ssh-bruteforce>
> [...later in the rules section...]
> pass in on $ext_if proto tcp      \
>      from any to $ext_if port ssh \
>      flags S/SA keep state        \
>      (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
> This adds IPs to the ssh-bruteforce table if there are too frequent
> attempts to connect from them (more than 3 within 30 seconds in this
> case) and so blocks all further access.
> You need to run a cron job to clear out old entries from the
> ssh-bruteforce table or it will grow continually over time:
> */12 * * * *	/sbin/pfctl -t ssh-bruteforce -T expire 86400 >/dev/null 2>&1
> 	Cheers,
> 	Matthew

Is there any reason one couldn't do something similar for SMTP?  Maybe
a little wider sample window, like 10/300?  Or would you end up blocking
too any things that you don't mean to block?  Anyone played with this
for SMTP?

John Lind
john at starfire.MN.ORG

The inherent vice of capitalism is the unequal sharing of blessings;
the inherent virtue of socialism is the equal sharing of miseries.
  - Winston Churchill

More information about the freebsd-questions mailing list