quentin.narvor wrote:
I'd like to dump (dup-to operation) all traffic from a subset of hosts
belonging to my internal network. This subset of hosts will be stored in
a table.
I have another table referring to blacklisted hosts (ie botnets, etc).
When a
packet goes through the firewall with destination host = an IP of
blacklist table, I'd like to trigger an addition to the first table (the
one containing internal host to dump traffic).
let's call your two tables watchhosts & blackhosts.
ensure that you are logging packets w/ destinations in the blacklist table
(eg. "pass out log on $ext_if to <blackhosts>"). if you are logging a lot
of traffic you may find it useful to create a separate pflog for this rule
and use "log (to <interface>)" in this rule.
write a script that reads the pflog and parses source addresses from packets
that trip the blackhosts rule above. the script then uses something like
"pfctl -t watchhosts -T add <src addr>" to add the address to your table.
please consult the man pages pf.conf(5), pfctl(8) and pflog(4) for additional
information.
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
