On 2007/06/28 09:02, J.D. Bronson wrote: > At 08:56 AM 06/28/2007, Stuart Henderson wrote: >> On 2007/06/28 08:46, J.D. Bronson wrote: >> > Will NEW offenders be added to /etc/tables/scanners >> > as they are discovered and therefore not just remain in kernel? >> >> No, pf does not write to files. >> How about cron(8) and pfctl(8) instead? > > so if it wont write to a file...I presume it blocks > whats listed in /etc/tables/scanners permanently and then only > blocks NEW offenders via kernel memory? > (can someone clarify my understanding of that?
yes. when the ruleset is loaded, the table in memory is populated with the contents of /etc/tables/scanners. when someone hits overload, they are just added to the table in memory. > I would ideally like to stop attacks and then write the offenders in a file > so I dont loose these during a reboot... > > what if I cron something like this: > > pfctl -t scanners -T show >> /etc/tables/scanners > pfctl -f /etc/pf.conf > > Would that work?? no need to reload the ruleset each time, and your table file will grow quite large by using >> to append each time; this would be better: TMPFILE=`mktemp -p /etc/tables scanners.XXXXXXXXXX` || exit 1 pfctl -t scanners -Ts > $TMPFILE && mv $TMPFILE /etc/tables/scanners this is all from a 'how to do it' point-of-view, I don't think it's all that useful. if an attacker is still active, they'll hit overload soon enough anyway.
