PF PF Firewall ExpireTable

I

ICSRunningFool

From what I understand, ExpireTable will remove entries based on a specified age. Is there a way to remove entries based on the last date accessed ?

For example, I have a table called Blacklist. If for some reason the ip address in Blacklist was not blocked for 60 days, I would like to remove the address.

Somehow I cannot find a way to get the last date the table entry was blocked.

Thanx
Allan
 
Very complicated....
It would need to activate log in the pf rule, monitor tcpdump with a script to retain connections attempts of a given host...

For your information you do not need to use sysutils/expiretable

This command does the same for a table named "Blacklist"

pfctl -t Blacklist - T expire 86400 # 86400 seconds

(https://www.freebsd.org/doc/handbook/firewalls-pf.html)

In fact if you update to FreeBSD 11.1, now Blacklistd can do that for you for SSH, FTPD.

By default, Blacklistd records 3 failures to connect (it's up to you to set it to 2 or 1) of a given host for a given service and insert it in its banning database for a given period set in config file. So blacklistd communicates with PF or IPFW and set up a banning rule and create a banning table. At the expiry date, blacklistd cleans the banning table of the firewall.

If you want to unban an IP before the expiry date, just manipulate the firewall tables (portxxx) and remove the IP. Host will be added again if it fails again to connect x times.

If a given host is already banned and tries to connect further but without reaching the critical number of failures, I don't know if blacklistd resets the time to expiry date at this moment, interesting point because it would answer your question.

Here is a little guide to setup blacklistd with PF or IPFW

https://people.freebsd.org/~lidl/blacklistd.html

Try, test and tell us more about the behaviour of blacklistd
 
ICSRunningFool said:
From what I understand, ExpireTable will remove entries based on a specified age. Is there a way to remove entries based on the last date accessed ?
Click to expand...
No, the information is not available. You only know how old an entry in a table is, not when it was used.

Code: 
             -T expire number
                           Delete addresses which had their statistics cleared
                           more than number seconds ago.  For entries which
                           have never had their statistics cleared, number
                           refers to the time they were added to the table.

You might get something closely resembling what you want if you can get the statics cleared after each usage. But I don't know how you would configure that.
 
SirDice: I plagiarized a perl script from pantz.org that I use for reporting to an HTML file, and I took the approach of deleting a blacklisted address and then adding it back to the table based on usage from a tcpdump of pflog. This should work for table entries that are in the form of a non subnet. It will not work however for subnet address table entries as the pfctl delete command will not match the table address entry.

Wozzeck.Live: I was familiar about the pfctl command to expire the table, it seemed easier to write the expiretable form. I upgraded the computer in question to 11.1 when I recently first read about blacklistd. I have not done anything with it yet. The PF firewall that I currently have works reasonably well and I wanted to go as far as I could with current implementation. Looks like I will be adding blacklistd to my todo list because of the above.

Thanx to all that responded.
Allan
 
You must log in or register to reply here.
Back
Top