On Wed, Feb 22, 2006 at 04:17:35PM -0500, Daniel Ouellet wrote:
> Ray Lai wrote:
> >On Wed, Feb 22, 2006 at 03:31:41PM -0500, Daniel Ouellet wrote:
> >>Chris Smith wrote:
> >>>In addition to preventing infected PC's from using their own SMTP engine
> >>>to send out spam by blocking port 25 from all but the mail server. I
> >>>would also like to add those hosts automatically to a table in order to
> >>>block their access altogether so that the infected PC's cannot attempt
> >>>other damage. How can this be accomplished?
> >>>
> >>You can use PF for that.
> >>
> >>pass connection from any to your smtp server and block everything else
> >>to port 25 with log into a table. You also use that table to block all
> >>outgoing connections.
> >
> >Can you really log into a table? I don't see anything in pf.conf(5)
> >for that.
>
> Why not?
>
> spamd use it and you can do many things.
>
> I use something like this for example to limit the connection to ssh.
> Just reverse it to limit connection to smtp instead. And then instead of
> blocking the users in the table to the port ssh only, block all.
>
> Just play with it, it's fun! (:>
>
> I use different rules to trap various virus for example. Very efficient!
>
> <snip>
> # define macros for each network interface
> ext_if="fxp0"
>
> <snip>
> # Define some variable for clarity
> SSH_LIMIT="(max-src-conn-rate 5/30, overload <bad_ssh> flush global)"
>
> <snip>
> # Table directive
> table <bad_ssh> persist file "/var/log/bad_ssh"
>
> <snip>
> # Allow quick valid traffic to ssh but log all attempts as well
> block return-rst log quick proto tcp from <bad_ssh> label "ssh-pirate"
> pass in log quick on $ext_if inet proto tcp from !<bad_ssh> \
> to $ext_if port ssh flags S/SA keep state \
> $SSH_LIMIT label "ssh"
>
> <snip>
>
> Then you add a cronjob to update your file /var/log/bad_ssh once a day
> or something in case you patch your box and reboot as to not loose the
> list. Or you can flush it every 24 hours as well, your choice really if
> you want to be more forgiving.
I thought you meant you could do something like:
block in log-table <zombie> to port 25
where <zombie> is updated automatically.
-Ray-
