#========================================1#2# subsection for abuse blocking3#4#========================================5#6# This section should be included early in the main /etc/ipf.conf file, right7# after any basic generic accounting ("count") rules, and any cleanup rules to8# block invalid fragments, invalid options (e.g. "ssrr"), etc.9#10# Note these will not actually block anything since they don't include the11# "quick" flag, and are thus part of a last-match group. They simply set up a12# group such that any connection logging rule further below won't also match if13# one of the rules in the group matches, no matter when or where the subsequent14# matching rule is added. I.e. all rules in the group are checked for a match15# (and a possible "first match" with "quick") before any subsequent rules16# further below are used. Note group rules can be added at any time, including17# at runtime after all other rules have been added -- they will still belong to18# the group and once added will be checked as part of the group.19#20# head of "blocklistd" group:21#22# The "blocklistd" group will be used by blocklistd(8).23#24block in proto tcp/udp from any to any head blocklistd25#26# head of "attackers" group to block all attackers:27#28# The "attackers" group is intended to be used for manually maintained rules29# e.g. as could be added like this:30#31# echo 'block return-rst in log quick proto tcp from 118.136.0.0/15 to any flags S/SAFR group attackers' >> /etc/ipf.conf32# /etc/rc.d/ipfliter reload33#34# Note the choice in this example is to return RST packets for blocked SYN35# packets to help the other end close. This is not necessary, but it better36# mimics what the kernel does by default, thus perhaps hiding the fact a37# firewall is present.38#39# XXX This example still allows UDP services, but we would need to duplicate40# each rule with "proto udp" (and without "flags blah") due to IPF parsing41# limitations....42#43block in proto tcp/udp from any to any head attackers44#454647