Hi,
Let me start by saying that I'm a FreeBSD user, but also a very content
user of the PF firewall (under FreeBSD).
I'd like to request the implementation of a new feature in pfctl.
This new feature, as stated in the subject, would allow resetting the
statistics for a single IP address.
The resetting of statistics for all IP addresses in a specified table is
already implemented (`pfctl -t sometable -T zero').
However, resetting the statistics for a single IP address in a table
would allow me to continuously block repeat offenders, while releasing
one-time offenders.
The scenario I'm thinking about is as follows:
An offender is added to a certain table, let's call it <blocked>, either
by PF using the 'overload' feature, an external tool like blacklistd or
fail2ban, or manually.
A cronjob expires addresses in table <blocked> after a time period X
(`pfctl -t blocked -T expire 1209600').
An external tool like blacklistd or fail2ban (or something home-brewn)
tracks the PF log, and resets the statistics for offending hosts that
are already in table <blocked>.
This way, repeat offenders will remain in table <blocked> indefinitely,
while hosts that attacked my server 'by accident' will get a retry.
It is important here to be aware that, with easily available and low
priced short term server contracts (virtual or metal), attackers can
easily switch IP addresses, which makes it undesirable to just keep an
IP address in the <blocked> table indefinitely unconditionally. I've
experienced this myself with the acquisition of one of my servers: it's
IP address was listed in certain spammer lists, and it has taken me
almost a year of correspondence with multiple parties before I could
communicate with all of my contacts (even though this was a problem
unrelated to any firewall, it does illustrate the importance of not
blindly blacklisting an IP address indefinitely).
I would have loved to include a patch to pfctl with this feature
request, but I don't have enough confidence in my C skills to do so.
It's been at least 15 years that I've experimented with C a little, and
I decided then that I'm more at ease with scripting languages (Perl,
Python, shell, ...).
However, to show that I'm not someone who just throws a problem over the
fence expecting a solution, I did some research.
The man page for pf(4) says that PF already supports the ioctl command
DIOCRCLRASTATS, which does exactly what I want.
The ioctl command DIOCRCLRTSTATS (which clears stats for all addresses
in a table; `pfctl -t sometable -T zero') is called from pfctl_radix.c,
function pfr_clr_tstats(); the call to DIOCRCLRASTATS should probably be
called from the same file.
The function pfr_clr_tstats() is defined in pfctl.h, and called from
pfctl_table.c (function pfctl_table()); the new functionality should
probably be called from the same file/function.
As I see it, there would be 2 possible ways to implement this from a
user point of view:
- add an optional parameter <IP address> to the existing '-T zero'
command, or
- add a new command 'reset <IP address>' or similar to the existing '-T'
subset of commands
Personally I would prefer the second option to avoid confusion in the
use of the '-T zero' command, but I admit that I may not be aware of the
implications of any of those 2 options.
I thank you in advance for considering my feature request.
Sincerely,
Rob LA LAU
--
:wq
