Date: Tue, 22 Dec 2009 06:46:47 +0000 From: Peter Maxwell <peter@allicient.co.uk> To: Gaurav Ghimire <gaurav@subisu.net.np> Cc: freebsd-pf@freebsd.org Subject: Re: External scripts with PF. Message-ID: <7731938b0912212246i2ca96420g7c56b4a72c4298e@mail.gmail.com> In-Reply-To: <4B304627.5020209@subisu.net.np> References: <4B2F0E9D.7020603@subisu.net.np> <7731938b0912210709l2dfbea79u4aa7c245e82bd203@mail.gmail.com> <03bd01ca8255$83b5a0f0$8b20e2d0$@com> <4B304627.5020209@subisu.net.np>
next in thread | previous in thread | raw e-mail | index | archive | help
2009/12/22 Gaurav Ghimire <gaurav@subisu.net.np>: > thinking if I could be informed via an email alert that =A0a new IP has > been added to the table abusive_ips. =A0It seems this would have been > possible if there was a possibility that I could trigger an external > script on the rule 3rd rule I have. And the external script would just > do pfctl -t abusive_ips -T show and mail it to me, or I could just have > some more intelligence there and save a record of the previous show > output and mail the diffs that way I could get the new IPs that have > been added to the table. And inform them clients that they have > something fishy going at there end that is bombing my mail servers. That > way I would not need to make it a regular cron job and would have the > advantage of running it only when a new IP is added to the table. > > Was just thinking if this could have been possible. Writing or modifying a script to suit your needs then putting it in a crontab to run even every few minutes will do what you want. It will also take significantly less effort than breaking out your C compiler and learning enough about pf's API and internals to do it more elegantly. Apart from anything else, it is poor firewall design to have your firewall box execute code based on rules getting hit; if you don't understand why, seriously - get someone else to setup the firewall for you. If you look at commercial firewalls, any event notification is not done by the firewall appliance itself, it's always done on either a separate management console, IDS, SEM, whatever.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7731938b0912212246i2ca96420g7c56b4a72c4298e>