# pf saving into files



## atmosx (Sep 11, 2012)

Hello,

Reading 'pf' documentation and a few tutorials online I came up with a few simple rules to block ssh-bruteforce attacks. Works fine now but I'd like to be able to 'save' them.

From the manual I read:

** persist - causes the kernel to keep the table in memory even when no rules
    refer to it. Without this attribute, the kernel will automatically remove
    the table when the last rule referencing it is flushed.*

This is related to memory and kernel. What I'd like to do is save the banned ip's on a file and on bood load this file. To load this file into the table I came up with

[CMD="table <sshbf> persist "/etc/ssh/pf_banned_ips""]# < this[/CMD] but in order to 'save' the newly added ips to 'pf_banned_ips' do I have to write a script on my own or can pf somehow handle this?

Thanks


----------



## SirDice (Sep 11, 2012)

I suggest using something like security/sshguard-pf or security/py-fail2ban.


----------



## atmosx (Sep 11, 2012)

SirDice said:
			
		

> I suggest using something like security/sshguard-pf or security/py-fail2ban.



I used to run fail2ban, even wrote a ruby script to get some stats. I know how effective it is, however my server is an embedded an RDC system with just 512 MB of RAM. 

I'd like to save as much RAM as possible, pf runs already, does a good job on blocking ip's thus I don't need another process running. I can always write a ruby script to check 5/6 times per day and update the file... But I'd like to know if there's a native way to do it.

Thanks


----------



## SirDice (Sep 11, 2012)

In that case I recommend security/sshguard-pf. It doesn't have a process running, it's simply triggered from syslog.conf(5). The port doesn't have any dependencies either.


----------



## wblock@ (Sep 11, 2012)

```
table <permablock> persist file "/etc/pf.permablock"
...
block in quick on $ext_if from <permablock> to any
```

Addresses or CIDR ranges can be added to the file with a text editor, but (I think) should not be done when pf is running.

`# pfctl -t permablock -T add ...`
should work, but I have not tried that with a persistent file.

This is used for certain relentless sources of spam or other types of network abuse.


----------



## atmosx (Sep 11, 2012)

Thank you both the hints.


----------



## numpad5 (Sep 12, 2012)

Might also look into pflogd but I am not a firewall expert myself so I haven't had to use this much before.


----------

