From owner-freebsd-net@FreeBSD.ORG Thu Apr 7 15:14:27 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D83F6106566C for ; Thu, 7 Apr 2011 15:14:27 +0000 (UTC) (envelope-from quentin.narvor@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 558DE8FC0C for ; Thu, 7 Apr 2011 15:14:26 +0000 (UTC) Received: by bwz12 with SMTP id 12so2639672bwz.13 for ; Thu, 07 Apr 2011 08:14:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=A1XY9xY/MPnDSdCs9uF74/yxAoF76+weIizUEa9kE/E=; b=uVDuptbphqWqAkGPPjGnkklMQyrZriz9e0IXwIJdzazQLAaciZzbnRhh2URwpQqMpV 44ve1oAWlWRWeqdQSJ7/9CWHmPG6cJJ6EMWXdpiAfFip8OCCMIPQAosVeNwtzeN0OrB7 /YluIXfuiRSpWsRyd7k68bwYZ+/KjEsxMY8gY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=AJYMqOFvemWkvebitDVITmotMKpp1YQsxTDpulJsFpnCUUxGqGnzsK6/VjQH3i7DOu Fte6Wc3Ht8Bg6mWTxC7QWDkNgux/76mPvf1R3ix4LJJYQJ21HL306IWclJS0rt+zgGnU h8V1vJraohgxDJewVJ2acx9k8KkE1ZPHiYSzM= MIME-Version: 1.0 Received: by 10.204.7.8 with SMTP id b8mr934799bkb.31.1302189265801; Thu, 07 Apr 2011 08:14:25 -0700 (PDT) Received: by 10.204.59.193 with HTTP; Thu, 7 Apr 2011 08:14:25 -0700 (PDT) In-Reply-To: References: Date: Thu, 7 Apr 2011 17:14:25 +0200 Message-ID: From: Quentin Narvor To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org, nicolas.greneche@univ-orleans.fr Subject: Re: [PATCH] New feature in Packet Filter X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Apr 2011 15:14:27 -0000 2011/4/7 Ermal Lu=E7i > On Thu, Apr 7, 2011 at 10:21 AM, Quentin Narvor > wrote: > > Hello, > > > > My name is Quentin Narvor and I am currently working on intrusion > detection. > > I use Freebsd 8.2 and I recently needed pf to be able to dynamically fi= ll > in > > tables according pass rule. > > > > For performances reasons, I didn't want to do it with a script and pfct= l. > > Then, with the help of Mr Nicolas Greneche, I made this patch named > "add". > > It enables pf to add src ip or dst ip in a table when a match occurs on= a > > pass rule. > > > > I cannot see, apart collecting ips in tables, anything else that > cannot be done through pf(4) tags! > Can you please describe a use case for this patch? Indeed, it enables pf to change its behaviour toward some hosts dynamically= . I will build a blacklist of ip which have been recognized as compromized (botnets, spam, etc). I build a table with thoses IP. If I match a connection between one host of my internal network and one blacklisted ip, there are chances that this host is infected. I want to do a comprehensive capture of this host connections by adding src ip to a table of hosts to watch. A dup-to rule dump traffic from "host to watch" table to a sensor. Here are the rules : pass in on $int_if from any to add ipsrc pass in on $int_if dup-to ($sensor_if, sensor_ip) from to any Unless I miss something, I think it is not possible to make this example just with pf(4) tags : it would have been possible if I wanted to copy only the traffic between my hosts and botnets. > > I submit this patch to your attention. Is this feature is of interest t= o > be > > added in PF mainstream ? > > > > You will find the patch and its documentation in attachment. > > Let me know if you think that some modifications are needed. > > > > Best regards, > > > > Quentin Narvor > > > > _______________________________________________ > > freebsd-net@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-net > > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > > > > > -- > Ermal >