Triggering pf.conf anchor load based on ip detected

[daemonbak]

I have an anchor for a service that is needed ONLY when the device is present. otherwise, those ports should be closed and that anchor ignored.

I can write a script that will load and unload the anchor from the cli obviosuly, but there must be a better way to check wether the anchor should be loaded.

I could write a script to run as a cron every 2 minutes / constant running loop to check if that ip is in use like:

Code:

#!/bin/bash
ping -c 1 $IP >> /dev/null
if [ $? -eq 0 ]; then
        echo "set return state 0"
        echo "run pfctl -a load anchor ports open on subset rules until connection down"
        pfctl -a $anchor -sr
fi

Code:

ping -c 1 $IP >> /dev/null
if [ $? -eq 1 ]; then
        echo "set return state 1"
        echo "connection down, unload anchor"
        pfctl -a $anchor -F all
fi

Code:

#!/bin/bash
result=1
while [ $result -neq 0 ]; do
    ping -c 1 $IP
    result=$?
done

But that would be a sloppy workaround. Would using something like ifstated to look for that machine and then load that rule?

Has anyone ever seen something like what i am looking to accomplish?

Code:

if machine detected (
pfctl load anchor
)
else (
ignore ruleset anchor)
if state changes and ip offline unload currently loaded anchor

And of course, obviously if machine exits network/loses connection/powered off unload that anchor effectively closing the ports and returning the firewall to stealth mode on change of machine state not present.

Would be nice if I didn't have to have cron jobs running every 2 minutes and then executing a script. Hoping there is a pf.conf setting to do this or something more elegant that my if ping works load anchor if ping fails unload anchor.

Thanks!