From owner-freebsd-pf@FreeBSD.ORG Tue Dec 22 06:46:49 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0F4CC106566B for ; Tue, 22 Dec 2009 06:46:49 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 910D88FC14 for ; Tue, 22 Dec 2009 06:46:48 +0000 (UTC) Received: by bwz5 with SMTP id 5so3944680bwz.3 for ; Mon, 21 Dec 2009 22:46:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=0BUx3f2vFM/cS+teZluS1jw8C0tg/X+cGG1GE5emcwA=; b=OX3virKQ72Jqyi2hbYFPJuIMOxvsOb9Twm1Wo0wfC7ynbO9gmPiQ7QWRbKsMV2vkbO x/s7FmXIfM/ylb1ZvdLmxe/FWQD9saalgC7XiJ/rYql9SnObGIEftN2CJpk5hGQDhQIi Ukzsq0vaE2xMX7q4OyUF2lnRIdwh2U3Fv/0ho= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=Qi/VfsRvaNJ6mYriILWMHv1/ujx41hmIDmuR4tOd1UIcZ1gp2mxnns9IGRR30mXaxb eeIBgHH/ykyYu+imaOdR78BnnoM+RjsRr9rg+2kimJ9+vvHnpkKrE307+I2VDl05eL7B g0um/H16SwciJMg2V+iICDvhh9BeLYYO2QVtE= MIME-Version: 1.0 Sender: allicient3141@googlemail.com Received: by 10.204.154.209 with SMTP id p17mr5546579bkw.104.1261464407351; Mon, 21 Dec 2009 22:46:47 -0800 (PST) In-Reply-To: <4B304627.5020209@subisu.net.np> References: <4B2F0E9D.7020603@subisu.net.np> <7731938b0912210709l2dfbea79u4aa7c245e82bd203@mail.gmail.com> <03bd01ca8255$83b5a0f0$8b20e2d0$@com> <4B304627.5020209@subisu.net.np> Date: Tue, 22 Dec 2009 06:46:47 +0000 X-Google-Sender-Auth: ffa9a07508dd1228 Message-ID: <7731938b0912212246i2ca96420g7c56b4a72c4298e@mail.gmail.com> From: Peter Maxwell To: Gaurav Ghimire Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: External scripts with PF. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Dec 2009 06:46:49 -0000 2009/12/22 Gaurav Ghimire : > thinking if I could be informed via an email alert that =A0a new IP has > been added to the table abusive_ips. =A0It seems this would have been > possible if there was a possibility that I could trigger an external > script on the rule 3rd rule I have. And the external script would just > do pfctl -t abusive_ips -T show and mail it to me, or I could just have > some more intelligence there and save a record of the previous show > output and mail the diffs that way I could get the new IPs that have > been added to the table. And inform them clients that they have > something fishy going at there end that is bombing my mail servers. That > way I would not need to make it a regular cron job and would have the > advantage of running it only when a new IP is added to the table. > > Was just thinking if this could have been possible. Writing or modifying a script to suit your needs then putting it in a crontab to run even every few minutes will do what you want. It will also take significantly less effort than breaking out your C compiler and learning enough about pf's API and internals to do it more elegantly. Apart from anything else, it is poor firewall design to have your firewall box execute code based on rules getting hit; if you don't understand why, seriously - get someone else to setup the firewall for you. If you look at commercial firewalls, any event notification is not done by the firewall appliance itself, it's always done on either a separate management console, IDS, SEM, whatever.