Slow Queue Setup with Packet Filter (PF)

Configure pf.conf | Add Undesirable Hosts

Traffic from spammers and other undesirable sources can be relegated to a slow queue using the Packet Filter (PF) firewall in OpenBSD and other operating systems.

Configure pf.conf

Entries and sample queue rules for pf.conf. This is not a complete configuration. Place the rule matching hosts in the spammer table at the end of the ruleset, so all traffic from undesirable sources is affected. An earlier rule should match SMTP traffic, and place it into the mail queue.

# table to store spammer addresses in
table <spammers> persist

# Sample queue rules
altq on $ext_if cbq bandwidth $bw_up queue { bulk, fast, spam }
queue bulk bandwidth 80% priority 1 cbq(default borrow red) { mail, web, ssh }
queue mail bandwidth 10% cbq(borrow ecn)
queue web bandwidth 75% cbq(red)
queue ssh bandwidth 15% cbq(borrow) { ssh_interactive, ssh_bulk }
queue ssh_interactive priority 6
queue ssh_bulk priority 3
queue fast bandwidth 10% priority 7 cbq(red)
# find the slowest possible queue for spammers
queue spam bandwidth 6Kb qlimit 1 priority 1 cbq(red)

# at bottom of rules, lump traffic from spammers into slow queue
pass in on $ext_if proto tcp from <spammers> to ($ext_if) keep state \
(max 512, source-track rule, max-src-nodes 512, max-src-states 64) \
queue(spam)

Add Undesirable Hosts

Either add spammers manually by running:

$ sudo /sbin/pfctl -t spammers -T add 192.0.2.5

Or use the badhost script that both adds addresses and clears any existing state entries for spammers. Setup sudo rules to allow non-root daemons to add addresses into the spammers table:

# sudoers rule to allow users in daemon group badhost access
%daemon ALL=(ALL) NOPASSWD: /usr/local/bin/badhost *

#!/usr/bin/perl
?
# example badhost call from a Perl script
system qw{/usr/bin/sudo /usr/local/bin/badhost -t spammers}, $remote_ip;

Use expiretable to expire table entries by age.