Re: Rate-limiting in PF

Wed, 04 Oct 2017 21:44:02 -0700 

I think, it is exactly 5 connections per 60 seconds.

What does "pfctl -sS | grep 114.100.182.206" show?


05.10.2017 1:02, Dave Horsfall пишет:

On Sun, 1 Oct 2017, Dave Horsfall wrote:


10.3-RELEASE-p21
I am trying to restrict woodpecker attempts to my mail server (stupid spamware regards rejects and a long banner it as a challenge), and following advice on this list I used the following (the important bit, anyway): 

   #
   # No more than 10/IP, or 5/m should be plenty.
   #
   pass inet proto tcp from any to any port smtp \
    flags S/SA keep state \
    (max-src-conn 10, max-src-conn-rate 5/60, \
    overload <woodpeckers> flush global)
The max-src-conn-rate does not work according to the sample that I posted, and now I am having severe doubts about max-src-conn after all:
Oct  4 14:21:04 aneurin sm-mta[88518]: v943Ksrr088518: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct  4 14:21:15 aneurin sm-mta[88519]: v943L4EC088519: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct  4 14:21:25 aneurin sm-mta[88520]: v943LFfa088520: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct  4 14:21:36 aneurin sm-mta[88521]: v943LQHr088521: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct  4 14:21:47 aneurin sm-mta[88522]: v943LanO088522: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 

[...]
Oct  4 15:50:57 aneurin sm-mta[89297]: v944okM0089297: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct  4 15:51:07 aneurin sm-mta[89298]: v944ovWd089298: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct  4 15:51:18 aneurin sm-mta[89299]: v944p8xQ089299: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct  4 15:51:29 aneurin sm-mta[89300]: v944pImO089300: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 Oct  4 15:51:40 aneurin sm-mta[89301]: v944pTG2089301: [114.100.182.206] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
There were 498 in all.  So, does the rate-limiting work and I am doing something wrong, or does it not work but is documented, and thus is vapourware? 



_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"

Reply via email to