PF filtering

[CShell]

Yes the SniffNet code is completely "open source" so you can compile it and run it yourself if you like.

 

[lost_in_c]

For all sorts of reasons, I do not think I will.

Fair enough that it stands here as a reference for anybody that might find use in it.

 

[petan]

Question: does anybody know if there is a way to programmatically alter a table that's in memory? Say with C? What I don't want is to maintain a list on disk and then have to constantly flush it to disk and then load from disk.

Do you mean like a C API? If you just want to alter tables you can use pfctl.
From the manual:

table <private> const { 10/8, 172.16/12, 192.168/16 }
table <badhosts> persist
block on fxp0 from { <private>, <badhosts> } to any

creates a table called private, to hold RFC 1918 private network blocks, and a table called badhosts, which is initially empty. A filter rule is set up to block all traffic coming from addresses
listed in either table. The private table cannot have its contents changed and the badhosts table will exist even when no active filter rules reference it. Addresses may later be added to the
badhosts table, so that traffic from these hosts can be blocked by using

# pfctl -t badhosts -Tadd 204.92.77.111

In that way you can alter tables in memory and will have immediate effect on the the filtering.

 

[petan]

My problem with rate limiting is that I couldn't find a way to write something like:

"each ip can only perform a tls handshake X times per Y seconds." Best I could find was "if ip X performs a tls handshake Y times in Z seconds, add to A table."

For now, I think I will probably do a blanket PF policy, and snipe certain things with blacklistd.

This can be done. Well, maybe not at TLS level but at last at TCP level.

Again from the manual:

For example, the following rules will protect the webserver against hosts making more than 100 connections in 10 seconds. Any host which connects faster than this rate will have its address added to the ⟨bad_hosts⟩ table and have all states originating from it flushed. Any new packets arriving from this host will be dropped unconditionally by the block rule.

block quick from <bad_hosts>
pass in on $ext_if proto tcp to $webserver port www keep state \
(max-src-conn-rate 100/10, overload <bad_hosts> flush global)