[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[OpenBSD-pf] dynamic filtering based on httpd error_log

Hello everyone,
	I've had my OpenBSD box running as a server for a few months
now.  I've shutdown all services except the ones I want, one of which is
httpd.  I am curious if anyone out there has setup a tail on httpd's
error_log with the intent to block IP's using pf.  I'm relatively new to
the world of firewalls although I have a general understanding of TCP/IP
architecture.  Basically what I'd like to do is as follows:
a) attempts to access cmd.exe or similar quick drop, send me an e-mail
so I can look-up the network owner on ARIN to contact them concerning
a malicious box, restore in a day, week, not sure really.
b) 3 attempts to access invalid/non-existent files quick blocks the IP
, restore in 10-20mins.
c) malformed headers quick blocks IP, restore in 1-5mins.
	I'm primarily interested in dynamic addition and removal of rule
sets using pf.  Would I be correct in using `pfctl -k AnnoyingIP` to 
remove the rule?  I haven't a clue as to how I would add a rule to the
set.  Is concatenating to the end of a pf.conf copy and then 
loading the new ruleset my only option?  Would it be advisable to
directly manipulate the rulesets with a C program? Any help with this
would be greatly appreciated.  Thanks in advance.