[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OpenBSD-pf] dynamic filtering based on httpd error_log



On Sun, Feb 16, 2003 at 02:49:06AM -0500, Nathan Fisher wrote:
> 	I'm primarily interested in dynamic addition and removal of rule
> sets using pf.
With -current, this is pretty simple with tables.
For instance, I add IP addresses to a block rule when they request
certain pages from my web server. It's worth noting that a client must
complete the TCP handshake to fetch a page and get logged in the web
server log, so spoofing source addresses is no threat to this setup.
$ cat quickblock.grep
/crawlertrap/
/_vti_bin/
"GET /www/scripts/
cmd.exe
root.exe
$ cat quickblock (this is run from a cronjob)
cat ~/quickblock >~/quickblock.tmp
egrep -f ~/quickblock.grep /var/log/thttpd | cut -d " " -f 1 >>~/quickblock.tmp
sort -u <~/quickblock.tmp | grep -v "^127\.0\.0\.1$" >~/quickblock
pfctl -t quickblock -T replace -f ~/quickblock
$ pfctl -sr | grep quickblock
block drop in quick on kue0 inet from <quickblock> to any
So if a client requests /crawlertrap/index.html, because it's an
unpolite web crawler dishonouring my robots.txt, it gets added to the
quickblock table within a couple of minutes (when the cronjob runs the
next time), which blocks further connections from that source.
With pfctl -t quickblock -T <command>, you can manually add or remove
addresses from that table, view statistics, etc., see the new pfctl man
page.
Evaluation of the ruleset doesn't get more expensive when the table size
grows, that's the nice thing about tables:
$ pfctl -t quickblock -T show | wc -l
414
It doesn't really matter if there are 400 or 40000 addresses in that
table, the rule will evaluate equally fast.
Daniel