On Mon, Nov 24, 2025 at 08:17:05PM +0800, W. D. Sadeep wrote: > Hello, > > I'm thinking of blocking bad IPs using PF tables persisted to a file. I > would like to use a cron job to periodically analyze access logs and > update the PF table. I'd like some advice on how best to set it up: > > 1. Keep the file in /etc/ (e.g., /etc/pf.badbots), set restrictive > permissions (chmod 0600), and run the script under root's crontab. > 2. Keep the file in a dedicated cron job user's directory, allow that > user to modify the file via the cron job, and use it in pf.conf. > > I'm inclined to go with #1. Is that okay? Thanks in advance!
Reading the logs is likely to be possible for non-root users, so one useful way to accomplish this would be to run the logs processing as a regular user, store the result somewhere writeable by that user, and load the result at intervals from a crontab entry that may be root's. That way, if the logs processing somehow does strange things, only things accessible and writeable by the less privileged user is affected. a crontab that executes something like "pfctl -t badhosts -T add -f /home/user/baddies" with an empty file or containing something that is not recognizable as an IP address would only cause the content not to be loaded, leaving the rest of your config intact. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://nxdomain.no/~peter/blogposts https://nostarch.com/book-of-pf-4th-edition "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
