Quoting Volker <[EMAIL PROTECTED]>:
Ed,
On 02/11/07 15:54, [EMAIL PROTECTED] wrote:
Quoting Volker <[EMAIL PROTECTED]>:
I just set up a machine using your suggestions, correctly I hope ;)
I have set it up as:
block drop in quick on $ext_if from <blocksmtp> to any
pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp keep
state \
( max-src-conn 5, max-src-conn-rate 80/90, overload <blocksmtp> flush
global )
I'm still not flushing the table with tableexpire as I do with my
bruteforce ssh table from crontab. I want to evaluate the entries for a
while first.
I chose max-src-conn 5 because that is the max number of connections per
IP in courier. I assume that should work and if I change it, I would
think that I should probably change the courier esmtpd configuration
also. Time will tell I guess.
Your rules are looking good so far. For the max-src-conn value you
have to check what value will be best for you. If you're using any
other server as a backup MX and you're final destination, a value of
5 may be bad as postfix (for example) is using 5 as a concurrency
destination limit per default which might easily blow your overload
rule and your backup MX might get blocked. You should check if that
value really works for you so as to have not legitimate hosts being
blocked.
Hi Volker,
I'm keeping my eye on that, thanks,
I haven't found a way to use that mechanism to block such hosts for,
say 120 minutes (which would be a great feature).
For my ssh-bruteforce table I am using a crontab entry to expire the
entries every 30 minutes. Just in case I shoot myself in the foot, the
pain is reduced to half an hour. ;)
*/30 * * * * root \
/usr/local/sbin/expiretable -t 3600 ssh-bruteforce >/dev/null 2&>1
It's ok if it does fit your needs but remember if a host is being
blocked by your overload rules at 12:29 it's getting unblocked at
12:30. I haven't checked expiretable (really had it forgotten) which
might be a better solution as far as I remember expiretable right
from the ML discussion.
It was/is a bit confusing but according to the examples in the manual
and in my testing a few months ago for ssh bruteforce, it seems to
work as the
EXAMPLES
The following removes any entries in table int.users older than one hour:
# expiretable -v -t 3600 int.users
This example removes any entries in table int.users older than one and a
half hour:
# expiretable -v -t 1h30m int.users
I'm not using it yet for smtp but probably will eventually but with a
minimum of a few days,
Thanks so much for sharing your configuration and advice.
You're welcome!
I've just written a small periodic script to have newly blocked IP
addresses being visible in the daily security report.
If you'll want to use it, change the table name and copy the file to
/usr/local/etc/periodic/security/... and chmod it executable:
/usr/local/etc/periodic/security/710.blockedhosts:
#!/bin/sh
# show changes in IP addresses being blocked by pf
# If there is a global system configuration file, suck it in.
if [ -r /etc/defaults/periodic.conf ]
then
. /etc/defaults/periodic.conf
source_periodic_confs
fi
. /etc/periodic/security/security.functions
rc=0
blocktable=${blocktable-"blockhosts"}
cmd=${cmd-"pfctl -t ${blocktable} -Ts"}
nc=`${cmd} | wc -l`
${cmd} | check_diff blockhosts - "${host} blocking host changes
(total ${nc} IP):"
#EOF
I was still missing the script and am going to install it now.
Thanks
ed
P.S. The smtp settings seem to be working as expected so far.
Greetings,
Volker
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
