On Wed, Sep 25, 2024 at 02:06:14PM +0200, Christian Schulte wrote: > Hello @misc, > > I am currently searching for a way to implement sendmail's connection control > features using pf. In sendmail I am using: > > dnl # Define connection throttling and window length > define(`confCONNECTION_RATE_THROTTLE', `15')dnl > define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl > > dnl # Stop connections that overflow our concurrent and time connection rates > FEATURE(`conncontrol', `nodelay', `terminate')dnl > FEATURE(`ratecontrol', `nodelay', `terminate')dnl > > How is this - or something similar - done using pf? > > I read about max-pkt-rate, set delay, queueing, state modulation but still > fail > to get the full picture.
You can implement rate limiting using state tracking options with overflow. A fairly popular example for ssh is this one, https://home.nuug.no/~peter/pf/en/bruteforce.html but please keep in mind that all those bits can be applied to anything that moves over TCP, and in this case it is likely most useful to use number of connections over a time period as the thing to measure. Another related set of examples and explanations can be found in the blog post forcing_the_password_gropers_through_a_smaller_hole.html (or with nicer formatting in exchange for G's trackers https://bsdly.blogspot.com/2017/04/forcing-password-gropers-through.html). If you go the overload table + block (or tiny queue) route, it will be useful to set up periodic expiry of the table, as I believe is mentioned in the articles. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.