On 2024/11/19 22:51, Rob LA LAU wrote: > I'd like to request the implementation of a new feature in pfctl. > This new feature, as stated in the subject, would allow resetting the > statistics for a single IP address. > > The resetting of statistics for all IP addresses in a specified table is > already implemented (`pfctl -t sometable -T zero'). > However, resetting the statistics for a single IP address in a table would > allow me to continuously block repeat offenders, while releasing one-time > offenders. ... > The man page for pf(4) says that PF already supports the ioctl command > DIOCRCLRASTATS, which does exactly what I want.
Since the ioctl exists and isn't used by pfctl, I think it does make sense to add this, but... > An offender is added to a certain table, let's call it <blocked>, either by > PF using the 'overload' feature, an external tool like blacklistd or > fail2ban, or manually. > A cronjob expires addresses in table <blocked> after a time period X (`pfctl > -t blocked -T expire 1209600'). > An external tool like blacklistd or fail2ban (or something home-brewn) > tracks the PF log, and resets the statistics for offending hosts that are > already in table <blocked>. > This way, repeat offenders will remain in table <blocked> indefinitely, > while hosts that attacked my server 'by accident' will get a retry. ...don't those tools already manage expiry? I haven't used blacklistd or fail2ban, but sshguard does, with increasing timeouts for repeat offenders, which seems a sensible way to do it.
