さくら VPS 用の pf.conf

NetBSD 
# /etc/pf.conf
#### Macros ####
ext_if="wm0"

#### Tables ####
table <local> const { 127.0.0.1 }
table <private> const { 10/8, 172.16/12, 192.168/16 }
table <special> const { 0/8, 14/8, 24/8, 39/8, 127/8, 128.0/16, 169.254/16, 192.0.0/24, 192.0.2/24, 192.88.99/24, 198.18/15, 223.255.255/24, 224/4, 240/4 }
table <bad_hosts> persist

#### Options ####
set loginterface wm0
set block-policy drop
set optimization normal
set state-policy if-bound
set require-order yes
set fingerprints "/etc/pf.os"

#### Traffic Normalization ####
scrub in on $ext_if all fragment reassemble

#### Queueing ####

#### Translation ####

#### Filter ####
block log all
pass quick on lo0 all
block drop in quick on $ext_if from <bad_hosts>

#
# in-bound
#
block in log quick on $ext_if from { <local> <private> <special> } to any

# TCP
pass in quick on $ext_if proto tcp from any to ($ext_if) port ssh \
    flags S/SA keep state \
    (max-src-conn-rate 30/300, overload <bad_hosts> flush global)
pass in quick on $ext_if proto tcp from any to ($ext_if) port http \
    flags S/SA keep state
block in log quick on $ext_if proto tcp all

# UDP
block in log quick on $ext_if proto udp all

# ICMP
pass in quick on $ext_if inet proto icmp all icmp-type 3
pass in quick on $ext_if inet proto icmp all icmp-type 11
block in log quick on $ext_if proto icmp all

#
# out-bound
#
block out quick on $ext_if to { <local> <private> <special> }

# SMB/NetBIOS
block out quick on $ext_if proto {tcp udp} from any to any port 135
block out quick on $ext_if proto {tcp udp} from any to any port 137:139
block out quick on $ext_if proto {tcp udp} from any to any port 445
# SQL Slamer
block out quick on $ext_if proto {tcp udp} from any to any port 1433:1434

pass out quick on $ext_if proto tcp all modulate state flags S/SA
pass out quick on $ext_if proto udp all keep state

# ICMP
pass out quick on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
block out log quick on $ext_if proto icmp all

カーネルコンフィグに pf と ALTQ も追加しないと駄目?

# arch/amd64/conf/SAKURA_VPS
include	"arch/amd64/conf/GENERIC"
pseudo-device	pf		# PF packet filter
pseudo-device	pflog		# PF log if
options 	ALTQ		# Manipulate network interfaces' output queues
options 	ALTQ_BLUE	# Stochastic Fair Blue
options 	ALTQ_CBQ	# Class-Based Queueing
options 	ALTQ_CDNR	# Diffserv Traffic Conditioner
options 	ALTQ_FIFOQ	# First-In First-Out Queue
options 	ALTQ_FLOWVALVE	# RED/flow-valve (red-penalty-box)
options 	ALTQ_HFSC	# Hierarchical Fair Service Curve
options 	ALTQ_LOCALQ	# Local queueing discipline
options 	ALTQ_PRIQ	# Priority Queueing
options 	ALTQ_RED	# Random Early Detection
options 	ALTQ_RIO	# RED with IN/OUT
options 	ALTQ_WFQ	# Weighted Fair Queueing