On Sat, Dec 31, 2005 at 07:43:27PM -0500, Elijah Savage wrote:
> If I create a rule like such
>
> table <bruteforce> persist file "/etc/bruteforce"
>
> pass proto tcp from any to $www_mail port 22 flags S/SA keep state
> (max-src-conn 5, max-src-conn-rate 4/5, overload <br
> uteforce> flush)
>
>
> Will pf write to the file, I know everything works without writing to a
> file. But say I do not want to loose those addresses that have been
> blocked to a unexpected crash or needing to reboot such a box for
> hardware upgrade.
No, but you can generate the file any time with
# pfctl -t bruteforce -Ts >/etc/bruteforce
Like from an hourly cronjob.
> Also if a policy has been put in place that gets
> caught by this rule must be there for 30 days without a hit on it is
> there anyway to tell when the last hit occurred?
Not directly, but try
# pfctl -t bruteforce -vTs
which prints each table entry like
62.65.145.30
Cleared: Thu Nov 24 07:17:37 2005
In/Block: [ Packets: 56437 Bytes: 2708976 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
This tells you that, since November 24th, 56437 packets were blocked by
'block in' rules referencing the table, matching address 62.65.145.30.
The timestamp is reset when you flush and reload the table with
# pfctl -t bruteforce -Ts >/etc/bruteforce
# pfctl -t bruteforce -Tf
# pfctl -t bruteforce -Ta -f /etc/bruteforce
If the timestamp in the 'Cleared:' field is older than 30 days and the
packet counter is 0, you know that the entry wasn't matched in more than
30 days.
Daniel
