Program to add/delete a rule from pf
Rajkumar S
rajkumars at gmail.com
Wed Jul 19 06:20:26 UTC 2006
On 7/18/06, Max Laier <max at love2party.net> wrote:
> On Tuesday 18 July 2006 19:30, Rajkumar S wrote:
> Just a short hint rather than debugging your code: Did you look into using
> anchors like spamd and authpf do? That way it will be a simple matter of
> flushing an anchor ruleset and the users of your plugin can have some say
> where your rules end up by placing the anchor(s) accordingly.
Yes, I did consider that. Infact there is already an existing plugin
for snortsam working along this line. The way it works is to have an
anchor with following rules.
table <blockin> persist
table <blockout> persist
block in log quick from <blockin> to any
block out log quick from any to <blockout>
Now the disadvantage is that this block all connections from an ip if
a rule get's triggered, which is pretty broad. What I want is to have
finer grained rules, ie block only the offending connection, defined
by the sip, dip, sport and dport. Such a configuration cannot be
handled by tables, afik. This is the reason I wanted to add and remove
the rules itself.
ofcourse this will be done inside an anchor.
Just to clarify once more, My requirement is to add and remove rules
like the one below inside an anchor.
block in quick on fxp0 proto tcp from 192.168.3.3 port 1025 to
64.233.167.99 port 80
block in quick on fxp0 proto tcp from 192.168.3.23 port 1054 to
72.14.207.99 port 8080
Rules addition and deletions will be triggered by snort, via snortsam.
I would have been happy if pfctl supported a -D options like iptables,
as that is the only thing I am lacking. I do not want to flush the
anchor completly and start all over again to delete a rule.
raj
More information about the freebsd-pf
mailing list