中村です。 pfのルールファイルを書いていてテーブルの動作がうまくいっていないみたいなのですが お知恵を拝借できないでしょうか?
#pfctl -R -f /etc/pf.rules で以下のルールファイルを読み込ませたのですが、/etc/spammers に書いたIPアドレス(192.168.1.101)からのアクセスに対して接続が 拒否されないのです。 ># SPAMMERS >table <spam> persist file "/etc/spammers" : >block quick on $ext_if from <spam> to any ここの部分が全く機能していないように見えます。 pfのホストは192.168.1.10に設定しています。 実験しているIPアドレス空間がプライベートアドレスなので$priv_netsに 対する設定はコメントアウトして殺してあります。 よろしくお願いします。 /etc/pf.rules ======================= # macros ext_if = "bge0" # TCP Services ssh_services = "{ ssh }" web_services = "{ http, https }" mail_services = "{ smtp, pop3, pop3s, auth, imap4, imaps, submission }" dns_services = "{ domain }" ftp_services = "{ ftp, ftp-data }" # UDP Services udp_services = "{ domain }" # ICMP Services #icmp_types = "echoreq" icmp_types = "{echoreq, unreach, squench, timex}" priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" # tables # SPAMMERS table <spam> persist file "/etc/spammers" # options set block-policy return set loginterface $ext_if # scrub scrub in all #scrub out all random-id max-mss 1414 # filter rules block log all pass quick on lo0 all ### BLOCK SPAMMERS ### #block drop in quick on $ext_if from <spam> to any block quick on $ext_if from <spam> to any #block drop in quick on $ext_if from $priv_nets to any #block drop out quick on $ext_if from any to $priv_nets #block in quick on $ext_if proto tcp from any to ($ext_if) port $ssh_services pass in quick on $ext_if inet proto tcp from any to ($ext_if) port $ssh_services flags S/SA keep state pass in quick on $ext_if inet proto tcp from any to ($ext_if) port $web_services flags S/SA keep state pass in quick on $ext_if inet proto tcp from any to ($ext_if) port $mail_services flags S/SA keep state pass in quick on $ext_if inet proto tcp from any to ($ext_if) port $dns_services flags S/SA keep state pass in quick on $ext_if inet proto tcp from any to ($ext_if) port $ftp_services flags S/SA keep state block in log quick on $ext_if inet proto tcp all pass in quick on $ext_if inet proto udp from any to ($ext_if) port $udp_services keep state block in log quick on $ext_if proto udp all # ICMP pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types keep sta te block in log quick on $ext_if inet proto icmp all pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state ============================================== /etc/spammers ======================== 192.168.1.101 ======================== -- 中村正也