Another question about pf.
Perhaps I don't fully understand how connection rate is calculated.
The following line in /etc/pf.conf:
pass in log inet proto tcp to any port { smtp smtps } synproxy state \
(max-src-conn-rate 5/30, overload <smtp> flush global)
Shouldn't avoid this happen?
In /var/log/maillog
----------------------------------------------------
May 27 10:55:05 server smtpd[30272]: 1a931fba4746f485 smtp connected
address=192.119.68.113 host=hwsrv-733438.hostwindsdns.com
May 27 10:55:06 server smtpd[30272]: 1a931fba4746f485 smtp failed-command
command="RCPT TO:<[email protected]>" result="550 Invalid recipient:
<[email protected]>"
May 27 10:55:06 server smtpd[30272]: 1a931fba4746f485 smtp disconnected
reason=disconnect
May 27 10:55:06 server smtpd[30272]: 1a931fbbc5c841e4 smtp connected
address=192.119.68.113 host=hwsrv-733438.hostwindsdns.com
May 27 10:55:06 server smtpd[30272]: 1a931fbbc5c841e4 smtp failed-command
command="RCPT TO:<[email protected]>" result="550 Invalid recipient:
<[email protected]>"
May 27 10:55:07 server smtpd[30272]: 1a931fbbc5c841e4 smtp disconnected
reason=disconnect
May 27 10:55:07 server smtpd[30272]: 1a931fbc9f586ee6 smtp connected
address=192.119.68.113 host=hwsrv-733438.hostwindsdns.com
May 27 10:55:07 server smtpd[30272]: 1a931fbc9f586ee6 smtp failed-command
command="RCPT TO:<[email protected]>" result="550 Invalid recipient:
<[email protected]>"
May 27 10:55:07 server smtpd[30272]: 1a931fbc9f586ee6 smtp disconnected
reason=disconnect
May 27 10:55:07 server smtpd[30272]: 1a931fbdf6b23f59 smtp connected
address=192.119.68.113 host=hwsrv-733438.hostwindsdns.com
[...] Complete here with 311 entries with the same time interval.
May 27 10:59:11 server smtpd[30272]: 1a9320f8f8726fab smtp disconnected
reason=disconnect
May 27 10:59:11 server smtpd[30272]: 1a9320f9e3e281ab smtp connected
address=192.119.68.113 host=hwsrv-733438.hostwindsdns.com
May 27 10:59:11 server smtpd[30272]: 1a9320f9e3e281ab smtp failed-command
command="RCPT TO:<[email protected]>" result="550 Invalid recipient:
<[email protected]>"
May 27 10:59:12 server smtpd[30272]: 1a9320f9e3e281ab smtp disconnected
reason=disconnect
May 27 10:59:12 server smtpd[30272]: 1a9320fa851b3e31 smtp connected
address=192.119.68.113 host=hwsrv-733438.hostwindsdns.com
May 27 10:59:12 server smtpd[30272]: 1a9320fa851b3e31 smtp failed-command
command="RCPT TO:<[email protected]>" result="550 Invalid recipient:
<[email protected]>"
May 27 10:59:12 server smtpd[30272]: 1a9320fa851b3e31 smtp disconnected
reason=disconnect
May 27 10:59:13 server smtpd[30272]: 1a9320fbe3f04434 smtp connected
address=192.119.68.113 host=hwsrv-733438.hostwindsdns.com
May 27 10:59:13 server smtpd[30272]: 1a9320fbe3f04434 smtp failed-command
command="RCPT TO:<[email protected]>" result="550 Invalid recipient:
<[email protected]>"
May 27 10:59:13 server smtpd[30272]: 1a9320fbe3f04434 smtp disconnected
reason=disconnect
May 27 10:59:13 server smtpd[30272]: 1a9320fc4f172f88 smtp connected
address=192.119.68.113 host=hwsrv-733438.hostwindsdns.com
May 27 10:59:14 server smtpd[30272]: 1a9320fc4f172f88 smtp failed-command
command="RCPT TO:<[email protected]>" result="550 Invalid recipient:
<[email protected]>"
------------------------------------------------------
A total of *323* connections from the same IP at less than a 1/4 second
interval during more than four minutes.
