[PATCH] New feature in Packet Filter

Quentin Narvor quentin.narvor at gmail.com
Thu Apr 7 15:14:27 UTC 2011 

2011/4/7 Ermal Luçi <eri at freebsd.org>

> On Thu, Apr 7, 2011 at 10:21 AM, Quentin Narvor
> <quentin.narvor at gmail.com> wrote:
> > Hello,
> >
> > My name is Quentin Narvor and I am currently working on intrusion
> detection.
> > I use Freebsd 8.2 and I recently needed pf to be able to dynamically fill
> in
> > tables according pass rule.
> >
> > For performances reasons, I didn't want to do it with a script and pfctl.
> > Then, with the help of Mr Nicolas Greneche, I made this patch named
> "add".
> > It enables pf to add src ip or dst ip in a table when a match occurs on a
> > pass rule.
> >
>
> I cannot see, apart collecting ips in tables, anything else that
> cannot be done through pf(4) tags!
> Can you please describe a use case for this patch?


Indeed, it enables pf to change its behaviour toward some hosts dynamically.
I will build a blacklist of ip which have been recognized as compromized
(botnets, spam, etc). I build a table with thoses IP.

If I match a connection between one host of my internal network and one
blacklisted ip, there are chances that this host is infected.
I want to do a comprehensive capture of this host connections by adding src
ip to a table of hosts to watch. A dup-to rule dump traffic from "host to
watch" table to a sensor.

Here are the rules :
pass in on $int_if from any to <blacklist> add ipsrc <infected_hosts>
pass in on $int_if dup-to ($sensor_if, sensor_ip) from <infected_hosts> to
any

Unless I miss something, I think it is not possible to make this example
just with pf(4) tags : it would have been possible if I wanted to copy only
the traffic between my hosts and botnets.


> > I submit this patch to your attention. Is this feature is of interest to
> be
> > added in PF mainstream ?
> >
> > You will find the patch and its documentation in attachment.
> > Let me know if you think that some modifications are needed.
> >
> > Best regards,
> >
> > Quentin Narvor
> >
> > _______________________________________________
> > freebsd-net at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-net
> > To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
> >
>
>
>
> --
> Ermal
>

More information about the freebsd-net mailing list