Date: Mon, 21 Dec 2009 15:09:05 +0000 From: Peter Maxwell <peter@allicient.co.uk> To: Gaurav Ghimire <gaurav@subisu.net.np> Cc: freebsd-pf@freebsd.org Subject: Re: External scripts with PF. Message-ID: <7731938b0912210709l2dfbea79u4aa7c245e82bd203@mail.gmail.com> In-Reply-To: <4B2F0E9D.7020603@subisu.net.np> References: <4B2F0E9D.7020603@subisu.net.np>
next in thread | previous in thread | raw e-mail | index | archive | help
2009/12/21 Gaurav Ghimire <gaurav@subisu.net.np>: > Hi all, > > Are there any possibilities that I could run a script (bash, perl) when > any rule is matched. > > For example, I have some distinct rule and want to get an alert email > each time any connection threshold is crossed on it from a singe IP. Say > I want one IP only have 1 http connection to a web service in my server, > if it goes 2 pf would update a table or run a external script that would > alert me about that IP. For tracking source IPs and adding them to a table, you can already do this, c.f. max-src-conn and overload in the pf.conf man page. If you use the overload keyword to dump the bad IPs into a table then as a quick and dirty solution for scripting you can the run a script from cron every few minutes to do something like: pfctl -t table_name_with_bad_ips -T show Just a quick warning in advance though, you're going to need a lot more than just 1 allowed tcp connection per source IP to get an HTTP service working properly, unless you want your web sites to be practically unusable. Personally, I'd set it to around 30 at first then see how it goes - no normal usage should hit this, only a badly configured robot. Remember you're allowing for both users' browsers using more than one connection at a time and the possibility of a single source IP having many clients NAT'ed behind it.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7731938b0912210709l2dfbea79u4aa7c245e82bd203>