From owner-FreeBSD-users-jp@jp.FreeBSD.org Tue Sep 25 23:46:52 2007
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) id l8PEkqa77733;
	Tue, 25 Sep 2007 23:46:52 +0900 (JST)
	(envelope-from owner-FreeBSD-users-jp@jp.FreeBSD.org)
Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.186])
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) with ESMTP/inet id l8PEkpB77728
	for <FreeBSD-users-jp@jp.freebsd.org>; Tue, 25 Sep 2007 23:46:51 +0900 (JST)
	(envelope-from masaya.nakamura@gmail.com)
Received: by rv-out-0910.google.com with SMTP id g11so1464533rvb
        for <FreeBSD-users-jp@jp.freebsd.org>; Tue, 25 Sep 2007 07:46:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=beta;
        h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
        bh=mwtUEvNWofvw2bRuN9bk1X4DBEe8IZf014JrzbE41fU=;
        b=tnfsw4HdPrkh+YuNkFO9T9Tq17b5AsBMtoC4/fuusEzeCeTIqtqmEB5WtzAMMrZLznxueXHPIZ8A/PAuJLfpRgwJrKvPtEoyRP7PNo5WoIXFapezbN7cQS5YcBL53JGM53ulBiYS03HntBQzz9cDoLLRD5CsBXMaOfhm7dACtVQ=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=beta;
        h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
        b=eFu6CC6gw/YDJ8H4SNdfIyU4SKmPbgcQOdF0xaoCzx2sKOMitNqEvZIoZgvW8sDcQG6WMSfZIClZGjB8RypwJPxz3N2aG+Bg3Q8kkPDL6dyguxpCFYJXjcAQESnKf0VFieUB++SPWC23ClwP6T70IHia2uATUOOR8Bi0GnldVXw=
Received: by 10.141.177.2 with SMTP id e2mr1923779rvp.1190731604032;
        Tue, 25 Sep 2007 07:46:44 -0700 (PDT)
Received: by 10.140.132.6 with HTTP; Tue, 25 Sep 2007 07:46:43 -0700 (PDT)
Message-ID: <d8c974950709250746o1a4dc9ebg5abcd002d7aaba85@mail.gmail.com>
From: "masaya nakamura" <masaya.nakamura@gmail.com>
To: FreeBSD-users-jp@jp.FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-2022-JP
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Reply-To: FreeBSD-users-jp@jp.FreeBSD.org
Precedence: list
Date: Wed, 26 Sep 2007 00:46:43 +1000
X-Sequence: FreeBSD-users-jp 91051
Subject: [FreeBSD-users-jp 91051] pf =?ISO-2022-JP?B?GyRCJE4lRhsoQg==?=
 =?ISO-2022-JP?B?GyRCITwlViVrJE5GMDpuJEskRCQkJEYbKEI=?= 
Sender: owner-FreeBSD-users-jp@jp.FreeBSD.org
X-Originator: masaya.nakamura@gmail.com
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+060209

$BCfB<$G$9!#(B

pf$B$N%k!<%k%U%!%$%k$r=q$$$F$$$F%F!<%V%k$NF0:n$,$&$^$/$$$C$F$$$J$$$_$?$$$J$N$G$9$,(B
$B$*CN7C$rGR<Z$G$-$J$$$G$7$g$&$+!)(B

#pfctl -R -f /etc/pf.rules

$B$G0J2<$N%k!<%k%U%!%$%k$rFI$_9~$^$;$?$N$G$9$,!"(B/etc/spammers
$B$K=q$$$?(BIP$B%"%I%l%9(B(192.168.1.101)$B$+$i$N%"%/%;%9$KBP$7$F@\B3$,(B
$B5qH]$5$l$J$$$N$G$9!#(B

># SPAMMERS
>table <spam> persist file "/etc/spammers"
$B!'(B
>block quick on $ext_if from <spam> to any
$B$3$3$NItJ,$,A4$/5!G=$7$F$$$J$$$h$&$K8+$($^$9!#(B

pf$B$N%[%9%H$O(B192.168.1.10$B$K@_Dj$7$F$$$^$9!#(B
$B<B83$7$F$$$k(BIP$B%"%I%l%96u4V$,%W%i%$%Y!<%H%"%I%l%9$J$N$G(B$priv_nets$B$K(B
$BBP$9$k@_Dj$O%3%a%s%H%"%&%H$7$F;&$7$F$"$j$^$9!#(B

$B$h$m$7$/$*4j$$$7$^$9!#(B

/etc/pf.rules
=======================
# macros
ext_if = "bge0"

# TCP Services
ssh_services = "{ ssh }"
web_services = "{ http, https }"
mail_services = "{ smtp, pop3, pop3s, auth, imap4, imaps, submission }"
dns_services = "{ domain }"
ftp_services = "{ ftp, ftp-data }"

# UDP Services
udp_services = "{ domain }"

# ICMP Services
#icmp_types = "echoreq"
icmp_types = "{echoreq, unreach, squench, timex}"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# tables
# SPAMMERS
table <spam> persist file "/etc/spammers"

# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all
#scrub out all random-id max-mss 1414

# filter rules
block log all

pass quick on lo0 all

### BLOCK SPAMMERS ###
#block drop in quick on $ext_if from <spam> to any
block quick on $ext_if from <spam> to any

#block drop in  quick on $ext_if from $priv_nets to any
#block drop out quick on $ext_if from any to $priv_nets

#block in quick on $ext_if proto tcp from any to ($ext_if) port $ssh_services
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port
$ssh_services  flags S/SA keep state
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port
$web_services  flags S/SA keep state
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port
$mail_services flags S/SA keep state
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port
$dns_services  flags S/SA keep state
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port
$ftp_services  flags S/SA keep state

block in log quick on $ext_if inet proto tcp all

pass in quick on $ext_if inet proto udp from any to ($ext_if) port $udp_services
 keep state

block in log quick on $ext_if proto udp all

# ICMP
pass  in     quick on $ext_if inet proto icmp all icmp-type $icmp_types keep sta
te
block in log quick on $ext_if inet proto icmp all

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
==============================================

/etc/spammers
========================
192.168.1.101
========================
-- 
$BCfB<@5Li(B
