OpenBSD Journal

Perl script to turn Spews Level 2 to PF rules

Contributed by jose on from the auto-firewall dept.

Harry McDonald writes:
"I wrote a small PERL script to convert to pf packet filtering rules. It should work as well for the Level 1 list.

On any given day this creates about 12000 rules. Theo says this quantity is no problem.

It seems to work quite well. Spam has stopped and other mail comes through.

Not only has the spam stopped but after a couple of days I noticed that much of the other malicious traffic to my server has dwindled as well.

Regardless of the controversy as to whether this should be done (denying packets) because it causes the sending computer to think it has encountered network problems, it's my computer.

The script is available at: which will direct you to the Usenet archive on

If you have difficulty with the URL let me know. Perhaps we can post the script here.


A useful utility to manage a lot of information and dynamically build PF rulesets.

(Comments are closed)

  1. By Idunno () on

    Add a mode to rdr packets to another port instead of dropping them. The somthing like rblsmtpd can be used to issue informative error messages.

  2. By Anonymous Coward () on

    Umm... did anyone else see that article about a server being exploited, and PHP in the OpenBSD ports possibly being vulnerable?

    I clicked the more link only to see an error that the message didn't exist. Upon reload the article was gone...

    Anyone in the know?

  3. By Anonymous Coward () on

    It would be nice to have skip rule working with a part of IP address in such application of pf.

  4. By W () on

  5. By Anonymous Coward () on

    Theo SAYS this will fine, but I have to imagine at some point it would become unmanagable and a performance hit would be involved.

  6. By edu () on

    I think this would be quite hard to implement in a large environment, both due to firewall performance problems and politics.

    I had a funny incident when at work one of our clients mail server got blacklisted, because someone broke in to it and made it an open relay. Apparently no one would have noticed this unless their mail would have stopped coming through to our servers...

  7. By Peter Hessler () on

    This is from their FAQ [] I have to post to a public newsgroup to ask if they will correct a wrong listing?

    Q42: My IP address/range is being listed by SPEWS but I'm not a spammer and I just signed up for this/these address(s). What can I do to be removed from the list?
    A42: SPEWS is just an automated system, if spam or spam involvement (hosting spammers, selling spamware) from your IP address/range ceases, it will drop out of the list in time. Normally the listing involves spam related problems with your host and the first step you need to take is to complain to them about the listing, in almost all cases, they are the only people who can get an address/range out of the SPEWS list. If there is a spam related problem with your host, their IP address/range will not be removed until it is resolved. If you are certain a listing mistake has been made, post a message in a public forum mentioned above with the SPEWS record number (eg. S123) and/or your IP address/range information in it. Placing the text "SPEWS:" in the subject can help a SPEWS editor or developer see the message and they may double check the listing - note that, although others may, no SPEWS editor or developer will ever reply to the posting. Will this get your IP address/range removed from a SPEWS listing? Not if there are currently spam related problems with your host. Be aware that posting ones email address to any publicly viewable forum or website makes it instantly available to spammers. If you're concerned about getting spammed, change or "mung" the email address you use to post with.

  8. By Anonymous Coward () on

    Why three passes? <br> <br> perl -lane 'next if/^#/;$a{$F[0]}++;END{print"block in log quick on $Ext proto tcp from $_ to any port 25"for sort keys%a}' spews_list_level2.txt

  9. By Sim () on

    In my experience, the nets in SPEWS originate 80% of the smurf attacks and other forms of network abuse. Might be a good idea to just block ALL traffic from those nets.

    Keep you from getting hacked, DOS'ed, etc.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]