On Thu, Aug 27, 2009 at 4:32 PM, Ivan Radovanovic<riv...@gmail.com> wrote: > I am new into pf configuration and I am curious if it is possible to add > some host into table in firewall rules if some conditions are met (not > if they are broken). I was thinking about some way to prevent port > scanning of machine and what came to me as obvious way to do it is this > (in some pseudocode) > > block all communication with bad_guys > allow all communication with good_guys > > allow any communication with my open port and put ip in good_guys table > block sending any rst packet from me and put ip in bad_guys table /* > somebody tried to connect to non-open port */ > > > /* more criteria to remove someone from good_guys and put in bad_guys, > according to connection rate, etc */ > > Anyway when I tried to code this into pf rules I discovered that I can't > put host into table according to positive condition. Is there some > workaround for this, or maybe some better/smarter way to achieve the same > thing I want to achieve?
Please read up on pf(4) anchors. And also on connection overloads in pf.conf(5). Stuff like max-conn-rate and so on. You already said you know about pf(4) tables. You need to populate the tables based on different criteria. I know that connection overload is one. You should be able to define other conditions to populate the tables. And you can use anchors along with tables, define conditions and get what you want. I hope I have not left out anything important. Best of luck. -Girish -- Gayatri Hitech web: http://gayatri-hitech.com SpamCheetah Spam filter: http://spam-cheetah.com
