External scripts with PF.

[Peter Maxwell]

2009/12/22 Gaurav Ghimire <gaurav at subisu.net.np>:

> thinking if I could be informed via an email alert that  a new IP has
> been added to the table abusive_ips.  It seems this would have been
> possible if there was a possibility that I could trigger an external
> script on the rule 3rd rule I have. And the external script would just
> do pfctl -t abusive_ips -T show and mail it to me, or I could just have
> some more intelligence there and save a record of the previous show
> output and mail the diffs that way I could get the new IPs that have
> been added to the table. And inform them clients that they have
> something fishy going at there end that is bombing my mail servers. That
> way I would not need to make it a regular cron job and would have the
> advantage of running it only when a new IP is added to the table.
>
> Was just thinking if this could have been possible.

Writing or modifying a script to suit your needs then putting it in a
crontab to run even every few minutes will do what you want.  It will
also take significantly less effort than breaking out your C compiler
and learning enough about pf's API and internals to do it more
elegantly.

Apart from anything else, it is poor firewall design to have your
firewall box execute code based on rules getting hit; if you don't
understand why, seriously - get someone else to setup the firewall for
you.  If you look at commercial firewalls, any event notification is
not done by the firewall appliance itself, it's always done on either
a separate management console, IDS, SEM, whatever.