Date: Wed, 19 Jul 2006 11:50:24 +0530 From: "Rajkumar S" <rajkumars@gmail.com> To: freebsd-pf@freebsd.org Subject: Re: Program to add/delete a rule from pf Message-ID: <64de5c8b0607182320m6c9d0d9er5636de052e448bf3@mail.gmail.com> In-Reply-To: <200607181950.10304.max@love2party.net> References: <64de5c8b0607181030h64d7d539r788ba7bbc6841e4d@mail.gmail.com> <200607181950.10304.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 7/18/06, Max Laier <max@love2party.net> wrote: > On Tuesday 18 July 2006 19:30, Rajkumar S wrote: > Just a short hint rather than debugging your code: Did you look into using > anchors like spamd and authpf do? That way it will be a simple matter of > flushing an anchor ruleset and the users of your plugin can have some say > where your rules end up by placing the anchor(s) accordingly. Yes, I did consider that. Infact there is already an existing plugin for snortsam working along this line. The way it works is to have an anchor with following rules. table <blockin> persist table <blockout> persist block in log quick from <blockin> to any block out log quick from any to <blockout> Now the disadvantage is that this block all connections from an ip if a rule get's triggered, which is pretty broad. What I want is to have finer grained rules, ie block only the offending connection, defined by the sip, dip, sport and dport. Such a configuration cannot be handled by tables, afik. This is the reason I wanted to add and remove the rules itself. ofcourse this will be done inside an anchor. Just to clarify once more, My requirement is to add and remove rules like the one below inside an anchor. block in quick on fxp0 proto tcp from 192.168.3.3 port 1025 to 64.233.167.99 port 80 block in quick on fxp0 proto tcp from 192.168.3.23 port 1054 to 72.14.207.99 port 8080 Rules addition and deletions will be triggered by snort, via snortsam. I would have been happy if pfctl supported a -D options like iptables, as that is the only thing I am lacking. I do not want to flush the anchor completly and start all over again to delete a rule. raj
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?64de5c8b0607182320m6c9d0d9er5636de052e448bf3>