On Sun, Feb 16, 2003 at 02:49:06AM -0500, Nathan Fisher wrote: > I'm primarily interested in dynamic addition and removal of rule > sets using pf.
With -current, this is pretty simple with tables. For instance, I add IP addresses to a block rule when they request certain pages from my web server. It's worth noting that a client must complete the TCP handshake to fetch a page and get logged in the web server log, so spoofing source addresses is no threat to this setup. $ cat quickblock.grep /crawlertrap/ /_vti_bin/ "GET /www/scripts/ cmd.exe root.exe $ cat quickblock (this is run from a cronjob) cat ~/quickblock >~/quickblock.tmp egrep -f ~/quickblock.grep /var/log/thttpd | cut -d " " -f 1 >>~/quickblock.tmp sort -u <~/quickblock.tmp | grep -v "^127\.0\.0\.1$" >~/quickblock pfctl -t quickblock -T replace -f ~/quickblock $ pfctl -sr | grep quickblock block drop in quick on kue0 inet from <quickblock> to any So if a client requests /crawlertrap/index.html, because it's an unpolite web crawler dishonouring my robots.txt, it gets added to the quickblock table within a couple of minutes (when the cronjob runs the next time), which blocks further connections from that source. With pfctl -t quickblock -T <command>, you can manually add or remove addresses from that table, view statistics, etc., see the new pfctl man page. Evaluation of the ruleset doesn't get more expensive when the table size grows, that's the nice thing about tables: $ pfctl -t quickblock -T show | wc -l 414 It doesn't really matter if there are 400 or 40000 addresses in that table, the rule will evaluate equally fast. Daniel
