Dave Horsfall wrote on 2017/03/31 23:29:
Does anyone have a PF rule that actually blocks woodpeckers? I have this
rule:
pass inet proto tcp from any to any port smtp \
flags S/SA keep state \
(max-src-conn 10, max-src-conn-rate 2/20, \
overload <woodpeckers> flush global)
I understand that as being no more than twice in twenty seconds (which is
amply generous by my reading of the RFC), but it's not working; for
example, the latest problem-child is:
Date: Mar 31 00:04:10 (v2UD3uT2070289)
from=<[email protected]>
relay=server1.manualpratico.info [186.251.128.25]
reject=450 4.7.1 <[email protected]>... I greylist .info
Date: Mar 31 00:14:25 (v2UDEBaT070308)
from=<[email protected]>
relay=server1.manualpratico.info [186.251.128.25]
reject=450 4.7.1 <[email protected]>... I greylist .info
continuing every 15 seconds (and I've seen much worse) which I have
manually blocked ("pfctl -t woodpeckers -T add 186.251.128.25", but isn't
PF supposed to do that for me?
(And yes, Sendmail also has this non-working "feature", but that's OT.)
Are you sure that each delivery attempt is separate TCP connection? SMTP
allows many messages in one opened session.
I am using this for blocking SSH attacks
block drop in quick from <ssh_bruteforce> to any
pass in log on $ext_if proto tcp from any to { $ext_addr, $jail_addr }
port $ext_ssh flags S/SA keep state \
(max-src-conn 6, max-src-conn-rate 6/60, overload
<ssh_bruteforce> flush global)
Miroslav Lachman
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
