Date: Wed, 09 Mar 2011 20:49:36 -0500 From: Tom Uffner <tom@uffner.com> To: "quentin.narvor" <quentin.narvor@ensi-bourges.fr> Cc: freebsd-pf@freebsd.org Subject: Re: Dynamically adding entry in a table Message-ID: <4D782E30.5030908@uffner.com> In-Reply-To: <6304e85de3fbe21c56ac6a3fbed4ee24@ensi-bourges.fr> References: <6304e85de3fbe21c56ac6a3fbed4ee24@ensi-bourges.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
quentin.narvor wrote: > I'd like to dump (dup-to operation) all traffic from a subset of hosts > belonging to my internal network. This subset of hosts will be stored in > a table. > > I have another table referring to blacklisted hosts (ie botnets, etc). > When a > packet goes through the firewall with destination host = an IP of > blacklist table, I'd like to trigger an addition to the first table (the > one containing internal host to dump traffic). let's call your two tables watchhosts & blackhosts. ensure that you are logging packets w/ destinations in the blacklist table (eg. "pass out log on $ext_if to <blackhosts>"). if you are logging a lot of traffic you may find it useful to create a separate pflog for this rule and use "log (to <interface>)" in this rule. write a script that reads the pflog and parses source addresses from packets that trip the blackhosts rule above. the script then uses something like "pfctl -t watchhosts -T add <src addr>" to add the address to your table. please consult the man pages pf.conf(5), pfctl(8) and pflog(4) for additional information.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D782E30.5030908>