View Single Post
  #1   (View Single Post)  
Old 3rd December 2013
irukandji irukandji is offline
Port Guard
Join Date: Jul 2013
Posts: 16
Default PF dynamic adding of ips to table (booby trap port)

As i have only few ports opend to the internet within the service range i would like to booby trap others to block any host that sends tcp or udp packet to any of them.

What i am having problem with is dynamically adding the offending ip to the table (most likely port scan), something like:

table <honeypot> persist
block quick from <honeypot>
pass in on em0 proto tcp from any to any port 1:24 "add ip to" <honeypot>

The problem is that i cant find syntax to add the ip sending the packet to the honeypot table, is this even possible? The overload has this possibility but this is not about the connection count as the handshake is not even done yet - there should be no traffic so any kind of tcp packet should be enough to get blocked.
Reply With Quote