# PF tables - WRITE!



## Seeker (Nov 3, 2009)

In /etc/pf.conf

```
table <ssh_bruteforcers> persist file "/var/db/pf/ssh_bruteforcers"

# SSH rules
pass in log inet proto tcp from any to ($ext_if) port 22 keep state (max-src-conn 5, max-src-conn-rate 20/60, overload <ssh_bruteforcers> flush global)
block from <ssh_bruteforcers>
```

So, pf *WILL* read from /var/db/pf/ssh_bruteforcers, but *WILL NOT* write new _infidels_ to /var/db/pf/ssh_bruteforcers, *but* keep them *in memory instead*, which *gets emptied* after reebot, which *WOULD NOT* happen if pf *WOULD* write new _infidels_ to /var/db/pf/ssh_bruteforcers, which it *DOESN'T*.

_Fix?_


----------



## DutchDaemon (Nov 3, 2009)

Don't use a file-based table for data you need to change/add to 

Use a memory-based table (table <ssh_bruteforcers> persist), use cron to dump the contents to a file on disk every 5 minutes (1), and read from that file after a reboot (2), using the @reboot time in cron. Don't forget to expire stale data from the table as well, unless you want the table to keep growing indefinitely.

(1)

```
/sbin/pfctl -t ssh_bruteforcers -Ts > /some/dir/ssh_bruteforcers.table
```

(2)

```
/sbin/pfctl -t ssh_bruteforcers -Tr -f /some/dir/ssh_bruteforcers.table
```

(3)
install security/expiretable, run from cron every hour/day, whatever.

```
/usr/local/sbin/expiretable -t 1d ssh_bruteforcers
```
1d = 1 day, 8h = 8 hours, you get it.

I'll leave the scripting up to you


----------



## Seeker (Nov 4, 2009)

Excellent! 

But why should I install security/expiretable, *IF* I can use:

```
/sbin/pfctl -t ssh_bruteforcers -Te 86400
```
to get rid of entries old 24 hours?


----------



## DutchDaemon (Nov 4, 2009)

I believe they are not exactly the same (the 'cleared statistics' bit in pfctl's manual), and I wanted to make sure that IPs were removed from the table a fixed time after their being added, no matter what. They may be functionally the same, I don't really know.


----------



## Seeker (Nov 4, 2009)

_Or_ pfctl *-Te* flag did not existed before and someone was unpatient and created it's own app., to expire tables, then PF got that expire ability in pfctl,  additionally


----------



## DutchDaemon (Nov 4, 2009)

Yeah, I just read the expiretable's manual, and it has the exact same line 



> The age in question being the amount of time that has passed since the statistics for the respective entry in the target table was last cleared.



pfctl:



> Delete addresses which had their statistics cleared more than number seconds ago.



So -Te should be just fine, although it can only handle seconds instead of a nice -s / -m / -h / -d option.


----------



## Seeker (Nov 4, 2009)

True! 
So, I use 86400, for 24 hour ban 

Thanks!


----------

