Better (IMHO) to use bgpd to suck down the 'bogon' prefixes, and then
tag them for pf, see example here:
http://www.cymru.com/BGP/bogon-rs.html
/Pete
On 29. des. 2005, at 18.32, eric wrote:
On Thu, 2005-12-29 at 11:38:22 -0500, Dave Feustel proclaimed...
Has anyone on the list experience with using pf to
block ip addresses in the iana reserved ip address ranges list?
I don't think any of us have ever thought of that.
Oh wait..I may have... run this out of cron weekly
#!/bin/sh
#; $Id: gbogl.sh,v 1.3 2005/01/28 04:47:16 epancer Exp $
#; a small tool to grab bogon list from team cymru
#;
PATH="/usr/bin:/bin:/usr/sbin:/sbin"
BOGONFILE="/etc/bogon.txt"
BOGONURL="http://www.cymru.com/Documents/bogon-bn-nonagg.txt";
checkfile () {
if [ ! -f $BOGONFILE ]; then
echo "! $BOGONFILE must exist, exiting."
exit 2
fi
}
getnewfile () {
lynx -dump $BOGONURL > $BOGONFILE
}
fixperm () {
chmod 644 $BOGONFILE
}
logmsg () {
logger -p kern.notice "rewrote $BOGONFILE"
}
checkfile
getnewfile
fixperm
logmsg
exit 0
Then...
table <bogon> persist file "/etc/bogon.txt"
Somewhere in your pf.conf.
