[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OpenBSD-pf] dynamic filtering based on httpd error_log

-current has introduced two new features which you would find useful.
Anchors and Tables.
Tables especially would suit your requirements.
Check out a recent snapshot, and read the pf.conf man page for some useful
information on Tables.
Using Tables and a small program/script to add and delete entries you
could do what you're after.
Alistair Kerr
On Sun, 16 Feb 2003, Nathan Fisher wrote:
> Hello everyone,
> 	I've had my OpenBSD box running as a server for a few months
> now.  I've shutdown all services except the ones I want, one of which is
> httpd.  I am curious if anyone out there has setup a tail on httpd's
> error_log with the intent to block IP's using pf.  I'm relatively new to
> the world of firewalls although I have a general understanding of TCP/IP
> architecture.  Basically what I'd like to do is as follows:
> a) attempts to access cmd.exe or similar quick drop, send me an e-mail
> so I can look-up the network owner on ARIN to contact them concerning
> a malicious box, restore in a day, week, not sure really.
> b) 3 attempts to access invalid/non-existent files quick blocks the IP
> , restore in 10-20mins.
> c) malformed headers quick blocks IP, restore in 1-5mins.
> 	I'm primarily interested in dynamic addition and removal of rule
> sets using pf.  Would I be correct in using `pfctl -k AnnoyingIP` to
> remove the rule?  I haven't a clue as to how I would add a rule to the
> set.  Is concatenating to the end of a pf.conf copy and then
> loading the new ruleset my only option?  Would it be advisable to
> directly manipulate the rulesets with a C program? Any help with this
> would be greatly appreciated.  Thanks in advance.
> Regards,
> 	Nathan