On Wed, Feb 22, 2006 at 04:17:35PM -0500, Daniel Ouellet wrote: > Ray Lai wrote: > >On Wed, Feb 22, 2006 at 03:31:41PM -0500, Daniel Ouellet wrote: > >>Chris Smith wrote: > >>>In addition to preventing infected PC's from using their own SMTP engine > >>>to send out spam by blocking port 25 from all but the mail server. I > >>>would also like to add those hosts automatically to a table in order to > >>>block their access altogether so that the infected PC's cannot attempt > >>>other damage. How can this be accomplished? > >>> > >>You can use PF for that. > >> > >>pass connection from any to your smtp server and block everything else > >>to port 25 with log into a table. You also use that table to block all > >>outgoing connections. > > > >Can you really log into a table? I don't see anything in pf.conf(5) > >for that. > > Why not? > > spamd use it and you can do many things. > > I use something like this for example to limit the connection to ssh. > Just reverse it to limit connection to smtp instead. And then instead of > blocking the users in the table to the port ssh only, block all. > > Just play with it, it's fun! (:> > > I use different rules to trap various virus for example. Very efficient! > > <snip> > # define macros for each network interface > ext_if="fxp0" > > <snip> > # Define some variable for clarity > SSH_LIMIT="(max-src-conn-rate 5/30, overload <bad_ssh> flush global)" > > <snip> > # Table directive > table <bad_ssh> persist file "/var/log/bad_ssh" > > <snip> > # Allow quick valid traffic to ssh but log all attempts as well > block return-rst log quick proto tcp from <bad_ssh> label "ssh-pirate" > pass in log quick on $ext_if inet proto tcp from !<bad_ssh> \ > to $ext_if port ssh flags S/SA keep state \ > $SSH_LIMIT label "ssh" > > <snip> > > Then you add a cronjob to update your file /var/log/bad_ssh once a day > or something in case you patch your box and reboot as to not loose the > list. Or you can flush it every 24 hours as well, your choice really if > you want to be more forgiving.
I thought you meant you could do something like: block in log-table <zombie> to port 25 where <zombie> is updated automatically. -Ray-