Date: Tue, 22 Dec 2009 12:50:24 +0545 From: Gaurav Ghimire <gaurav@subisu.net.np> To: Peter Maxwell <peter@allicient.co.uk> Cc: freebsd-pf@freebsd.org Subject: Re: External scripts with PF. Message-ID: <4B306FB4.2040100@subisu.net.np> In-Reply-To: <7731938b0912212246i2ca96420g7c56b4a72c4298e@mail.gmail.com> References: <4B2F0E9D.7020603@subisu.net.np> <7731938b0912210709l2dfbea79u4aa7c245e82bd203@mail.gmail.com> <03bd01ca8255$83b5a0f0$8b20e2d0$@com> <4B304627.5020209@subisu.net.np> <7731938b0912212246i2ca96420g7c56b4a72c4298e@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Peter Maxwell wrote: > 2009/12/22 Gaurav Ghimire <gaurav@subisu.net.np>: > > >> thinking if I could be informed via an email alert that a new IP has >> been added to the table abusive_ips. It seems this would have been >> possible if there was a possibility that I could trigger an external >> script on the rule 3rd rule I have. And the external script would just >> do pfctl -t abusive_ips -T show and mail it to me, or I could just have >> some more intelligence there and save a record of the previous show >> output and mail the diffs that way I could get the new IPs that have >> been added to the table. And inform them clients that they have >> something fishy going at there end that is bombing my mail servers. That >> way I would not need to make it a regular cron job and would have the >> advantage of running it only when a new IP is added to the table. >> >> Was just thinking if this could have been possible. >> > > Writing or modifying a script to suit your needs then putting it in a > crontab to run even every few minutes will do what you want. It will > also take significantly less effort than breaking out your C compiler > and learning enough about pf's API and internals to do it more > elegantly. > > Apart from anything else, it is poor firewall design to have your > firewall box execute code based on rules getting hit; if you don't > understand why, seriously - get someone else to setup the firewall for > you. If you look at commercial firewalls, any event notification is > not done by the firewall appliance itself, it's always done on either > a separate management console, IDS, SEM, whatever. > Hi Peter, Yes I understand your concern here regarding the alert and notification job being something that a Firewall isn't supposed to do. Lack of resources makes you try to get much more of out of something, though it might seem impractical :) . I will take your suggestions in consideration. Thank you. Regards, -- Gaurav Ghimire System Administrator - Systems (R&D) Subisu Cablenet (P.) Ltd. 148 Thirbum Sadak Baluwatar, Kathmandu Nepal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B306FB4.2040100>