From owner-freebsd-pf@FreeBSD.ORG Wed Jul 19 00:50:12 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B82316A4E1 for ; Wed, 19 Jul 2006 00:50:12 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.181]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1741843D46 for ; Wed, 19 Jul 2006 00:50:11 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id b29so69583pya for ; Tue, 18 Jul 2006 17:50:11 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=cmKfH8Bl48UHR5I58xrZN8OSR3nXvjHsvQ2tUTnJvktp+qqIdCAg7ZZHfUyGEfcp/wOlHPkAPHqm7Y9n5CLgQRFGICAiVNluFUxFRzAMyaiAb8DvdZbccY9yIX20c13IrmQHcbcE9NWoGI3P9+M3kXOpA4UtLCBg7rMmPd3PWrM= Received: by 10.35.135.12 with SMTP id m12mr268542pyn; Tue, 18 Jul 2006 17:50:11 -0700 (PDT) Received: by 10.35.34.13 with HTTP; Tue, 18 Jul 2006 17:50:10 -0700 (PDT) Message-ID: Date: Tue, 18 Jul 2006 19:50:10 -0500 From: "Travis H." To: "Max Laier" , rajkumars@gmail.com In-Reply-To: <200607181950.10304.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <64de5c8b0607181030h64d7d539r788ba7bbc6841e4d@mail.gmail.com> <200607181950.10304.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: Program to add/delete a rule from pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 00:50:12 -0000 On 7/18/06, Max Laier wrote: > > After going through sources of pfctl and some other programs, I wrote > > a skeltel program > > to add a rule via ioctl, but that is not working. That sounds like the hard ware to do it. > Just a short hint rather than debugging your code: Did you look into using > anchors like spamd and authpf do? That way it will be a simple matter of > flushing an anchor ruleset and the users of your plugin can have some say > where your rules end up by placing the anchor(s) accordingly. That's probably the easiest way. Another way is to use my dfd_keeper program, located at my homepage below. It allows you to make arbitrary modification to the pf rules. It doesn't use ioctls; it remembers all the rules, make modification to them at run-time, and re-loads the ruleset completely. No anchors are really necessary, but you might want to use a few so you can "patch" the rulest temporarily without modifying your dfd_keeper script (I provide the library, you provide the client script). There is an example. It's meant for making run-time rule changes, and even takes care of things like flushing states if you remove a pass rule, etc. I would appreciate feedback on it. It may seem a bit like overkill at first, but it's really not that hard to understand. I have an example script, and the whole thing is not very much code... maybe 2k lines. There are OpenBSD packages for it and other prerequisites on my homepage as well. The net result is that you get a textual interface to the firewall, and you can define an arbitrary set of commands that are available to the text interface. It's kind of like having a Unix shell, but for your firewall. -- ``I am not a pessimist. To perceive evil where it exists is, in my opinion, a form of optimism.'' -- Roberto Rossellini http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484