さくら VPS 用の pf.conf
# /etc/pf.conf #### Macros #### ext_if="wm0" #### Tables #### table <local> const { 127.0.0.1 } table <private> const { 10/8, 172.16/12, 192.168/16 } table <special> const { 0/8, 14/8, 24/8, 39/8, 127/8, 128.0/16, 169.254/16, 192.0.0/24, 192.0.2/24, 192.88.99/24, 198.18/15, 223.255.255/24, 224/4, 240/4 } table <bad_hosts> persist #### Options #### set loginterface wm0 set block-policy drop set optimization normal set state-policy if-bound set require-order yes set fingerprints "/etc/pf.os" #### Traffic Normalization #### scrub in on $ext_if all fragment reassemble #### Queueing #### #### Translation #### #### Filter #### block log all pass quick on lo0 all block drop in quick on $ext_if from <bad_hosts> # # in-bound # block in log quick on $ext_if from { <local> <private> <special> } to any # TCP pass in quick on $ext_if proto tcp from any to ($ext_if) port ssh \ flags S/SA keep state \ (max-src-conn-rate 30/300, overload <bad_hosts> flush global) pass in quick on $ext_if proto tcp from any to ($ext_if) port http \ flags S/SA keep state block in log quick on $ext_if proto tcp all # UDP block in log quick on $ext_if proto udp all # ICMP pass in quick on $ext_if inet proto icmp all icmp-type 3 pass in quick on $ext_if inet proto icmp all icmp-type 11 block in log quick on $ext_if proto icmp all # # out-bound # block out quick on $ext_if to { <local> <private> <special> } # SMB/NetBIOS block out quick on $ext_if proto {tcp udp} from any to any port 135 block out quick on $ext_if proto {tcp udp} from any to any port 137:139 block out quick on $ext_if proto {tcp udp} from any to any port 445 # SQL Slamer block out quick on $ext_if proto {tcp udp} from any to any port 1433:1434 pass out quick on $ext_if proto tcp all modulate state flags S/SA pass out quick on $ext_if proto udp all keep state # ICMP pass out quick on $ext_if inet proto icmp all icmp-type 8 code 0 keep state block out log quick on $ext_if proto icmp all
カーネルコンフィグに pf と ALTQ も追加しないと駄目?
# arch/amd64/conf/SAKURA_VPS include "arch/amd64/conf/GENERIC" pseudo-device pf # PF packet filter pseudo-device pflog # PF log if options ALTQ # Manipulate network interfaces' output queues options ALTQ_BLUE # Stochastic Fair Blue options ALTQ_CBQ # Class-Based Queueing options ALTQ_CDNR # Diffserv Traffic Conditioner options ALTQ_FIFOQ # First-In First-Out Queue options ALTQ_FLOWVALVE # RED/flow-valve (red-penalty-box) options ALTQ_HFSC # Hierarchical Fair Service Curve options ALTQ_LOCALQ # Local queueing discipline options ALTQ_PRIQ # Priority Queueing options ALTQ_RED # Random Early Detection options ALTQ_RIO # RED with IN/OUT options ALTQ_WFQ # Weighted Fair Queueing