Quoting Volker <[EMAIL PROTECTED]>:
Ed,
<SNIP />
Hi Volker,
I just set up a machine using your suggestions, correctly I hope ;)
Nope, that's the wrong way. You let pass smtp (by a quick rule) but
the block rule is after that. That is rendering your blocklist
useless as all traffic is passing by the first rule.
AFAIK the first connection causing an overload is being dropped but
subsequent connections are still passing (as long as they don't
overload).
It should look like:
block drop in quick on $ext_if from <blockhosts> to any
pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp
keep state ( max-src-conn [ANYVAL], max-src-conn-rate
[ANYVAL]/[ANYTIME], overload <blockhosts> flush global )
I have set it up as:
block drop in quick on $ext_if from <blocksmtp> to any
pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp
keep state \
( max-src-conn 5, max-src-conn-rate 80/90, overload <blocksmtp>
flush global )
I'm still not flushing the table with tableexpire as I do with my
bruteforce ssh table from crontab. I want to evaluate the entries for
a while first.
I chose max-src-conn 5 because that is the max number of connections
per IP in courier. I assume that should work and if I change it, I
would think that I should probably change the courier esmtpd
configuration also. Time will tell I guess.
Whenever any host is overloading ssh or smtp access, I'm loading
their IP address into the blockhosts table and so the machine will
never again talk to that IP address (forever!). You may want to do
it different (for example flushing the table once a week or at
midnight). One machine running this for months has already blocked
1400 IP addresses and as far as I've checked, all have been dynamic
zombies (no regular mail clients have been blocked by that).
I haven't found a way to use that mechanism to block such hosts for,
say 120 minutes (which would be a great feature).
For my ssh-bruteforce table I am using a crontab entry to expire the
entries every 30 minutes. Just in case I shoot myself in the foot,
the pain is reduced to half an hour. ;)
*/30 * * * * root \
/usr/local/sbin/expiretable -t 3600 ssh-bruteforce >/dev/null 2&>1
Thanks so much for sharing your configuration and advice.
ed
Could it work and be controlable or would it make a bad situation worse?
You may use a blocking mechanism like that for any other host
service, too. If you're going to use that for UDP "connections" you
should be aware that they're connectionless and so options like "
max-src-connXXX" don't match here.
HTH,
Volker
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
