https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287461
--- Comment #2 from bc...@lafn.org ---
Here is the complete pf.conf:
# $FreeBSD: src/share/examples/pf/pf.conf,v 1.1.2.1 2007/11/11 02:16:00
mlaier Exp $
# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#############################################################################
#
# Required order: options, normalization, queueing, translation, filtering.
# Note: translation rules are first match while filter rules are last match.
#
#############################################################################
set reassemble yes
set skip on lo0
############ Macros:
MAILHOSTS = "{mail.sermon-archive.info}"
WEB = "{8000, 8001}"
MAIL = "{143, 993, 998}"
SMTP = "{25, 587}"
SSH = "75"
DNS = "53"
ext_if = "ue0"
############ Tables:
table <LOCAL> persist {10.0.0.0/16 !10.0.1.235}
table <blackhole> persist file "/etc/blackhole"
table <woodpeckers> persist
############ Options:
############ Normalization:
scrub in on $ext_if all fragment reassemble
############ Queueing: rule-based bandwidth control.
#altq on $ext_if cbq bandwidth 100% queue {normal, pop, mail}
# queue normal bandwidth 99% qlimit 100 cbq(default)
# queue pop bandwidth 500Kb qlimit 100 cbq
# queue mail bandwidth 500Kb qlimit 100 cbq
############ Translation: First Rule Matches
no rdr on { lo0, lo1 } from any to any
############ Filtering: Last Rule Matches
block in quick log inet proto tcp from <blackhole> to any
anchor "blacklistd/*" in on $ext_if
pass in quick inet proto tcp from <LOCAL> to any
pass in quick inet proto tcp from any to port $MAIL
pass in quick inet proto tcp from any to port $SMTP
pass in quick inet proto tcp from <LOCAL> to port $DNS
pass in quick inet proto tcp from any to port $WEB
pass in quick inet proto udp no state
pass out quick inet proto udp no state
block in log from <ext_if>
pass out
########### Currently disabled as mucks up filtering
# woodpeckers limit at 20/IP or 10/minute - cron purges hourly
#block in quick log on $ext_if proto tcp from <woodpeckers> to any port $SMTP
#pass in inet proto tcp to any port $SMTP \
# flags S/SA keep state \
# (max-src-conn 20, max-src-conn-rate 10/60, \
# overload <woodpeckers> flush global)
Note, major sections are commented out. As for the anchor rules, they are
established by blacklistd. I once saw them somewhere in the base code, but
have no recollection of where that was.
The following may help:
mail# pfctl -a blacklistd/25 -vsr
No ALTQ support in kernel
ALTQ related functions disabled
block drop in quick proto tcp from <port25> to any port = smtp
[ Evaluations: 157845 Packets: 204 Bytes: 12698 States: 0
]
[ Inserted: uid 0 pid 579 State Creations: 0 ]
mail# pfctl -a blacklistd/587 -vsr
No ALTQ support in kernel
ALTQ related functions disabled
block drop in quick proto tcp from <port587> to any port = submission
[ Evaluations: 157787 Packets: 10327 Bytes: 588300 States: 0
]
[ Inserted: uid 0 pid 492 State Creations: 0 ]
pftop only shows those entries.
--
You are receiving this mail because:
You are the assignee for the bug.
