Firewall question

webix · July 17, 2019, 2:53pm

Hello folks.
In this moment, i have the following firewall rules:

chain=forward action=add-src-to-address-list connection-state=new connection-limit=5000,32 protocol=tcp address-list=3rdAlertSPAM address-list-timeout=none-static out-interface=ETH1 dst-port=25,587 limit=5k/12h,0:packet log=no log-prefix=""
chain=forward action=add-src-to-address-list connection-state=new connection-limit=500,32 protocol=tcp address-list=2ndAlertSPAM address-list-timeout=1 out-interface=ETH1 dst-port=25,587 limit=500/1h,0:packet log=no log-prefix=""
chain=forward action=add-src-to-address-list connection-state=new connection-limit=50,32 protocol=tcp address-list=1stAlertSPAM address-list-timeout=5m out-interface=ETH1 dst-port=25,587 limit=50/30s,0:packet log=no log-prefix=""
chain=forward action=drop protocol=tcp src-address-list=1stAlertSPAM out-interface=ETH1 dst-port=25,465 log=no log-prefix=""
chain=forward action=drop protocol=tcp src-address-list=2ndAlertSPAM out-interface=ETH1 dst-port=25,465 log=no log-prefix=""
chain=forward action=drop protocol=tcp src-address-list=3rdAlertSPAM out-interface=ETH1 dst-port=25,465 log=no log-prefix=""

What i want to accomplish is:

If more than 50 emails are sent in less than 30 seconds, the IP is blocked for 5 minutes.
If more than 500 emails are sent in less than 1 hour, the IP is blocked for 1 hour.
If more than 5,000 emails are sent in less than 12 hours, the IP is permanently blocked.

And i have some trouble to make this thing work. Someone can point me to the right direction?

sindy · July 17, 2019, 4:33pm

There is no constant relation between the number of e-mail messages (which may be of a very different size each) and the number of packets or bytes transported by a connection, so there is no way to limit by number of messages, only by number of bytes (comparison works up to 4 GB).

Another problem is that you can only count bytes during a single connection which is ephemeral, so if the address would disconnect and re-connect again, the counter would be reset. Vice versa, to drop down an ongoing connection you’d need to have an action=drop src-address-list=spam-blacklist rule before the “accept established” one in your forward chain, because otherwise already established connections would continue even though the remote address would be blacklisted.

Yet another possibility would be to use a script to create a counter rule for each new remote address, which could then count both packets and bytes across the individual connections, but I’m afraid both RAM and flash would protest against such method.

webix · July 17, 2019, 8:51pm

Hello sindy.

Thank you for informing that.
If i am not mistaken, “connection-state=new” means that take into account only the new connections, not the related or established connections. Right?
The “connection-limit=50,32” means that is a limit of 49 connections from same IP, no?
And finally “limit=50/30s,0:packet” means it’s 49 packets allowed over 30 seconds, if i am not mistaken.

So… All these combined on same rule i guess it will count the 1st packet from a new connection from same IP address. Or i am mistaken? If that is right, what is the difference if it’s the 1st packet of the connection that will send the email, or the email itself? Isn’t the final result the same?

Regards

sindy · July 17, 2019, 9:14pm

It is not, because decent systems aggregate tasks, so they send more than one message through the same connection, and usually keep TCP connections open for a while after use for the case that something more would need to be transported the same way. It has to do with reuse of client side TCP ports.

Even if you could assume that each message has its own dedicated connection, you’d still have to create an individual rule with nth matcher for each newly encountered remote address, so it would again mean scripting and stress for the flash.

webix · July 17, 2019, 9:55pm

So… what do you suggest?
I don’t have mail clients inside my network. Only mail servers.

Regards

mkx · July 18, 2019, 6:06am

SMTP servers have all the information needed to make educated decision about rate limiting. Some SMTP servers support limiting incoming mail rate.

webix · July 18, 2019, 6:16am

Yes. I know. But most of the servers I have are unmanaged by us. They are rented to our clients.

So, I have 2 solutions:

Configure firewall rules to limit the SMTP connections.
Redirect SMTP ports on router to a transparent SMTP filtering.

Any idea on how to do this out on the router?