pfadapt functions
This page documents functions supported by pfadapt. These functions are embedded into labels of pf rules, like in the following example:
block out log on re0 proto tcp from any flags R/R \
label ":add_to_table(destination, bad_guys)"
In order to distinguish labels that should be processed by pfadapt, all such rules should begin with a singe ":". Inside that label you embed call to one of functions documented on this page.
IMPORTANT:Don't forget to send all packets from rules intended to be processed by pfadapt to log!
add_to_table
SYNOPSIS:
add_to_table(address, table_name)
- address - keyword source or destination
- table_name - name of table (without any quotes)
This function adds specified address to the specified table if packet matching that rule is spotted by pfadapt. It is good idea to use this function either in pair with remove_from_table or in combination with some crontab entry emptying table in certain period.
remove_from_table
SYNOPSIS:
remove_from_table(address, table_name)
- address - keyword source or destination
- table_name - name of table (without any quotes)
This function removes specified address from specified table any time when packet matching that rule is spotted by pfadapt.
limit_number_add_to_table
SYNOPSIS:
limit_number_add_to_table(address, number, table_name)
- address - keyword source or destination
- number - integer number
- table_name - name of table (without any quotes)
Adds specified address to the specified table after specified number of packets matching that rule is counted. For example:
block in log on re0 proto tcp from any to any port ftp \
label ":limit_number_add_to_table(source, 5, bad_guys)"
will add host that is trying to connect to ftp port to table bad_guys after seeing 5 packets coming from it.
limit_number_remove_from_table
SYNOPSIS:
limit_number_remove_from_table(address, number, table_name)
- address - keyword source or destination
- number - integer number
- table_name - name of table (without any quotes)
This function removes specified address from specified table after specified number of packets matching that rule is encountered. This function is analog to the limit_number_add_to_table.
limit_rate_add_to_table
SYNOPSIS:
limit_rate_add_to_table(address, number, time, table_name)
- address - keyword source or destination
- number - integer number
- time - integer number (represents number of seconds)
- table_name - name of table (without any quotes)
This function will add specified address to the specified table if packets matching rule occure at specified rate. For example:
block in log on re0 proto tcp to any port 139 \
label ":limit_rate_add_to_table(source, 5, 5, warning5)"
will add packet source to table warning5 if there are encountered 5 attempts from that host to connect to port 139 with at most 5 seconds between each attempt. If for example there are 2 attempts, then 10 seconds pause, after this pause statistics for host will be cleared, so it will need 5 attempts again.
limit_rate_remove_from_table
SYNOPSIS:
limit_rate_remove_from_table(address, number, time, table_name)
- address - keyword source or destination
- number - integer number
- time - integer number (represents number of seconds)
- table_name - name of table (without any quotes)
This function removes specified address from specified table if that address is seen specified number of times with pauses in occurences that are less than specified time. This function is analogous to limit_rate_add_to_table.
HINT: Use pfadapt -dv when debugging your firewall configuration to understand what is pfadapt trying to do.