[FreeBSD-users-jp 91051] pf のテ ーブルの動作について

[masaya nakamura]

中村です。

pfのルールファイルを書いていてテーブルの動作がうまくいっていないみたいなのですが
お知恵を拝借できないでしょうか？

#pfctl -R -f /etc/pf.rules

で以下のルールファイルを読み込ませたのですが、/etc/spammers
に書いたIPアドレス(192.168.1.101)からのアクセスに対して接続が
拒否されないのです。

># SPAMMERS
>table <spam> persist file "/etc/spammers"
：
>block quick on $ext_if from <spam> to any
ここの部分が全く機能していないように見えます。

pfのホストは192.168.1.10に設定しています。
実験しているIPアドレス空間がプライベートアドレスなので$priv_netsに
対する設定はコメントアウトして殺してあります。

よろしくお願いします。

/etc/pf.rules
=======================
# macros
ext_if = "bge0"

# TCP Services
ssh_services = "{ ssh }"
web_services = "{ http, https }"
mail_services = "{ smtp, pop3, pop3s, auth, imap4, imaps, submission }"
dns_services = "{ domain }"
ftp_services = "{ ftp, ftp-data }"

# UDP Services
udp_services = "{ domain }"

# ICMP Services
#icmp_types = "echoreq"
icmp_types = "{echoreq, unreach, squench, timex}"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# tables
# SPAMMERS
table <spam> persist file "/etc/spammers"

# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all
#scrub out all random-id max-mss 1414

# filter rules
block log all

pass quick on lo0 all

### BLOCK SPAMMERS ###
#block drop in quick on $ext_if from <spam> to any
block quick on $ext_if from <spam> to any

#block drop in  quick on $ext_if from $priv_nets to any
#block drop out quick on $ext_if from any to $priv_nets

#block in quick on $ext_if proto tcp from any to ($ext_if) port $ssh_services
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port
$ssh_services  flags S/SA keep state
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port
$web_services  flags S/SA keep state
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port
$mail_services flags S/SA keep state
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port
$dns_services  flags S/SA keep state
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port
$ftp_services  flags S/SA keep state

block in log quick on $ext_if inet proto tcp all

pass in quick on $ext_if inet proto udp from any to ($ext_if) port $udp_services
 keep state

block in log quick on $ext_if proto udp all

# ICMP
pass  in     quick on $ext_if inet proto icmp all icmp-type $icmp_types keep sta
te
block in log quick on $ext_if inet proto icmp all

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
==============================================

/etc/spammers
========================
192.168.1.101
========================
-- 
中村正也