On 29.05., Walter Alejandro Iglesias wrote: > In article <20200528165448.ga22...@flueckiger.lan> Bruno Flueckiger > <inform...@gmx.net> wrote: > > On 26.05., Walter Alejandro Iglesias wrote: > > > I understand that this command: > > > > > > # pfctl -t spam -T expire <seconds> > > > > > > Takes in care the "Cleared" date: > > > > > > # pfctl -t spam -vT show > > > ___.___.22.65 > > > Cleared: Mon May 25 16:10:22 2020 > > > ___.___.167.62 > > > Cleared: Mon May 25 16:10:22 2020 > > > [...] > > > > > > Is there a way to save and restore tables metadata after a reboot > > > preserving those dates? > > > > > > > You can save the list of IPs in a table and reload it after a reboot as > > described here: https://www.bsdhowto.ch/savepftables.html > > Nice website. ;-) >
Thanks :-) > > > > As there is no way to save the dates the date for each IP will be set to > > the current date and time when load happens. > > The interesting point and the reason of my concern is to choose a > convenient "expire time." With mail is problematic but with ssh, since > I know exactly whom I want to allow external access (just me,) I let > them accumulate. I block ssh attackers in the ssh port only, people > sharing those addresses are not affected. So, I thought, the only > concern in the ssh case was how much a big number of entries could > affect pf performance, till at some point my tables reached the memory > hard limit and I had to remove IPs arbitrarily. :-) > Well, I use my system in production. Therefore I prefer to be on the safe side and remove old entries from my block tables rather than risking instabilities or performance penalties. > In summary, pfctl expire command does nothing after a reboot. Then you > have two options: > > - To use a (cron) expire time significantly lower than the desirable. > > - To expire entries when your tables are about to reach the memory > hard limit. > > In both cases you'll probably suffer spam again from IPs that were > already blocked. > What is a desirable expire time for blocked IPs in your view? For SSH I don't care how many times an attacker tries it. As soon as the IP is in the blocking table I don't even get log entries for it. In case of SMTP I don't rely solely on IP blocking to fight spam. The blocking only kicks in if there are too many simultaneous connections comming from the same IP. Cheers, Bruno