blocklist/etc/ipf.conf

#========================================
#
#	subsection for abuse blocking
#
#========================================
#
# This section should be included early in the main /etc/ipf.conf file, right
# after any basic generic accounting ("count") rules, and any cleanup rules to
# block invalid fragments, invalid options (e.g. "ssrr"), etc.
#
# Note these will not actually block anything since they don't include the
# "quick" flag, and are thus part of a last-match group.  They simply set up a
# group such that any connection logging rule further below won't also match if
# one of the rules in the group matches, no matter when or where the subsequent
# matching rule is added.  I.e. all rules in the group are checked for a match
# (and a possible "first match" with "quick") before any subsequent rules
# further below are used.  Note group rules can be added at any time, including
# at runtime after all other rules have been added -- they will still belong to
# the group and once added will be checked as part of the group.
#
#	head of "blocklistd" group:
#
# The "blocklistd" group will be used by blocklistd(8).
#
block in proto tcp/udp from any to any head blocklistd
#
#	head of "attackers" group to block all attackers:
#
# The "attackers" group is intended to be used for manually maintained rules
# e.g. as could be added like this:
#
#	echo 'block return-rst in log quick proto tcp from 118.136.0.0/15 to any flags S/SAFR group attackers' >> /etc/ipf.conf
#	/etc/rc.d/ipfliter reload
#
# Note the choice in this example is to return RST packets for blocked SYN
# packets to help the other end close.  This is not necessary, but it better
# mimics what the kernel does by default, thus perhaps hiding the fact a
# firewall is present.
#
# XXX This example still allows UDP services, but we would need to duplicate
# each rule with "proto udp" (and without "flags blah") due to IPF parsing
# limitations....
#
block in proto tcp/udp from any to any head attackers
#