Getting auto-block to work
Gary Palmer
gpalmer at freebsd.org
Sat Apr 1 00:04:21 UTC 2017
On Sat, Apr 01, 2017 at 08:29:41AM +1100, Dave Horsfall wrote:
> Does anyone have a PF rule that actually blocks woodpeckers? I have this
> rule:
>
> pass inet proto tcp from any to any port smtp \
> flags S/SA keep state \
> (max-src-conn 10, max-src-conn-rate 2/20, \
> overload <woodpeckers> flush global)
>
> I understand that as being no more than twice in twenty seconds (which is
> amply generous by my reading of the RFC), but it's not working; for
> example, the latest problem-child is:
>
> Date: Mar 31 00:04:10 (v2UD3uT2070289)
> from=<return at manualpratico.info>
> relay=server1.manualpratico.info [186.251.128.25]
> reject=450 4.7.1 <dave at horsfall.org>... I greylist .info
>
> Date: Mar 31 00:14:25 (v2UDEBaT070308)
> from=<return at manualpratico.info>
> relay=server1.manualpratico.info [186.251.128.25]
> reject=450 4.7.1 <dave at horsfall.org>... I greylist .info
>
> continuing every 15 seconds (and I've seen much worse) which I have
> manually blocked ("pfctl -t woodpeckers -T add 186.251.128.25", but isn't
> PF supposed to do that for me?
>
> (And yes, Sendmail also has this non-working "feature", but that's OT.)
Are you sure those are new connections and that the remote side isn't
just doing RSET and trying again on the same connection? If it's
not making new connections, PF won't pick it up
Regards,
Gary
More information about the freebsd-pf
mailing list