Ray Lai wrote:
On Wed, Feb 22, 2006 at 03:31:41PM -0500, Daniel Ouellet wrote:
Chris Smith wrote:
In addition to preventing infected PC's from using their own SMTP engine
to send out spam by blocking port 25 from all but the mail server. I
would also like to add those hosts automatically to a table in order to
block their access altogether so that the infected PC's cannot attempt
other damage. How can this be accomplished?
You can use PF for that.
pass connection from any to your smtp server and block everything else
to port 25 with log into a table. You also use that table to block all
outgoing connections.
Can you really log into a table? I don't see anything in pf.conf(5)
for that.
Why not?
spamd use it and you can do many things.
I use something like this for example to limit the connection to ssh.
Just reverse it to limit connection to smtp instead. And then instead of
blocking the users in the table to the port ssh only, block all.
Just play with it, it's fun! (:>
I use different rules to trap various virus for example. Very efficient!
<snip>
# define macros for each network interface
ext_if="fxp0"
<snip>
# Define some variable for clarity
SSH_LIMIT="(max-src-conn-rate 5/30, overload <bad_ssh> flush global)"
<snip>
# Table directive
table <bad_ssh> persist file "/var/log/bad_ssh"
<snip>
# Allow quick valid traffic to ssh but log all attempts as well
block return-rst log quick proto tcp from <bad_ssh> label "ssh-pirate"
pass in log quick on $ext_if inet proto tcp from !<bad_ssh> \
to $ext_if port ssh flags S/SA keep state \
$SSH_LIMIT label "ssh"
<snip>
Then you add a cronjob to update your file /var/log/bad_ssh once a day
or something in case you patch your box and reboot as to not loose the
list. Or you can flush it every 24 hours as well, your choice really if
you want to be more forgiving.
Daniel
