From owner-freebsd-pf@FreeBSD.ORG Thu Mar 10 02:08:38 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 18E9F1065672 for ; Thu, 10 Mar 2011 02:08:38 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (uffner.com [66.208.243.25]) by mx1.freebsd.org (Postfix) with ESMTP id B71938FC1B for ; Thu, 10 Mar 2011 02:08:37 +0000 (UTC) Received: from [10.69.69.61] (static-71-162-143-90.phlapa.fios.verizon.net [71.162.143.90]) (authenticated bits=0) by eris.uffner.com (8.14.3/8.14.3) with ESMTP id p2A1ngnK089622 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=FAIL); Wed, 9 Mar 2011 20:49:48 -0500 (EST) (envelope-from tom@uffner.com) Message-ID: <4D782E30.5030908@uffner.com> Date: Wed, 09 Mar 2011 20:49:36 -0500 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.16) Gecko/20110206 Lightning/1.0b1 SeaMonkey/2.0.11 MIME-Version: 1.0 To: "quentin.narvor" References: <6304e85de3fbe21c56ac6a3fbed4ee24@ensi-bourges.fr> In-Reply-To: <6304e85de3fbe21c56ac6a3fbed4ee24@ensi-bourges.fr> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Dynamically adding entry in a table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2011 02:08:38 -0000 quentin.narvor wrote: > I'd like to dump (dup-to operation) all traffic from a subset of hosts > belonging to my internal network. This subset of hosts will be stored in > a table. > > I have another table referring to blacklisted hosts (ie botnets, etc). > When a > packet goes through the firewall with destination host = an IP of > blacklist table, I'd like to trigger an addition to the first table (the > one containing internal host to dump traffic). let's call your two tables watchhosts & blackhosts. ensure that you are logging packets w/ destinations in the blacklist table (eg. "pass out log on $ext_if to "). if you are logging a lot of traffic you may find it useful to create a separate pflog for this rule and use "log (to )" in this rule. write a script that reads the pflog and parses source addresses from packets that trip the blackhosts rule above. the script then uses something like "pfctl -t watchhosts -T add " to add the address to your table. please consult the man pages pf.conf(5), pfctl(8) and pflog(4) for additional information.