From owner-freebsd-pf@FreeBSD.ORG Wed Jun 23 21:10:32 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7FC941065676 for ; Wed, 23 Jun 2010 21:10:32 +0000 (UTC) (envelope-from mike@jellydonut.org) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 4419A8FC1A for ; Wed, 23 Jun 2010 21:10:31 +0000 (UTC) Received: by qwg8 with SMTP id 8so428208qwg.13 for ; Wed, 23 Jun 2010 14:10:31 -0700 (PDT) MIME-Version: 1.0 Received: by 10.224.27.145 with SMTP id i17mr5454942qac.180.1277327431358; Wed, 23 Jun 2010 14:10:31 -0700 (PDT) Received: by 10.229.51.6 with HTTP; Wed, 23 Jun 2010 14:10:31 -0700 (PDT) In-Reply-To: References: <7114830758496124649@unknownmsgid> Date: Wed, 23 Jun 2010 17:10:31 -0400 Message-ID: From: Michael Proto To: Peter Maxwell Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "freebsd-pf@freebsd.org" Subject: Re: can pf block a string ? or better, to limit it ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jun 2010 21:10:32 -0000 On Wed, Jun 23, 2010 at 4:15 PM, Peter Maxwell wrot= e: > Hmmm, off the top of my head: I wonder if you could use Snort and have th= at > do full packet inspection for you. =A0Then you should be able to script a= n > alert if the string is found and call pfctl to add the offending IP addre= ss > to a table that blackholes it. =A0Just a thought. > > Or if you want to do it "properly", I'm sure you could code something alo= ng > the lines of a kernel module. > What about proxying the connection with nstreams? http://www.freshports.org/net-mgmt/nstreams -Proto