Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 09 Mar 2011 20:49:36 -0500
From:      Tom Uffner <tom@uffner.com>
To:        "quentin.narvor" <quentin.narvor@ensi-bourges.fr>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: Dynamically adding entry in a table
Message-ID:  <4D782E30.5030908@uffner.com>
In-Reply-To: <6304e85de3fbe21c56ac6a3fbed4ee24@ensi-bourges.fr>
References:  <6304e85de3fbe21c56ac6a3fbed4ee24@ensi-bourges.fr>

next in thread | previous in thread | raw e-mail | index | archive | help
quentin.narvor wrote:
> I'd like to dump (dup-to operation) all traffic from a subset of hosts
> belonging to my internal network. This subset of hosts will be stored in
> a table.
>
> I have another table referring to blacklisted hosts (ie botnets, etc).
> When a
> packet goes through the firewall with destination host = an IP of
> blacklist table, I'd like to trigger an addition to the first table (the
> one containing internal host to dump traffic).

let's call your two tables watchhosts & blackhosts.

ensure that you are logging packets w/ destinations in the blacklist table
(eg. "pass out log on $ext_if to <blackhosts>"). if you are logging a lot
of traffic you may find it useful to create a separate pflog for this rule
and use "log (to <interface>)" in this rule.

write a script that reads the pflog and parses source addresses from packets
that trip the blackhosts rule above. the script then uses something like
"pfctl -t watchhosts -T add <src addr>" to add the address to your table.

please consult the man pages pf.conf(5), pfctl(8) and pflog(4) for additional
information.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D782E30.5030908>