-current has introduced two new features which you would find useful. Anchors and Tables.
Tables especially would suit your requirements. Check out a recent snapshot, and read the pf.conf man page for some useful information on Tables. Using Tables and a small program/script to add and delete entries you could do what you're after. Cheers, Alistair Kerr On Sun, 16 Feb 2003, Nathan Fisher wrote: > Hello everyone, > > I've had my OpenBSD box running as a server for a few months > now. I've shutdown all services except the ones I want, one of which is > httpd. I am curious if anyone out there has setup a tail on httpd's > error_log with the intent to block IP's using pf. I'm relatively new to > the world of firewalls although I have a general understanding of TCP/IP > architecture. Basically what I'd like to do is as follows: > > a) attempts to access cmd.exe or similar quick drop, send me an e-mail > so I can look-up the network owner on ARIN to contact them concerning > a malicious box, restore in a day, week, not sure really. > > b) 3 attempts to access invalid/non-existent files quick blocks the IP > , restore in 10-20mins. > > c) malformed headers quick blocks IP, restore in 1-5mins. > > I'm primarily interested in dynamic addition and removal of rule > sets using pf. Would I be correct in using `pfctl -k AnnoyingIP` to > remove the rule? I haven't a clue as to how I would add a rule to the > set. Is concatenating to the end of a pf.conf copy and then > loading the new ruleset my only option? Would it be advisable to > directly manipulate the rulesets with a C program? Any help with this > would be greatly appreciated. Thanks in advance. > > Regards, > > Nathan > > > > >
