Hi list,
This is my first post to this list. I've just subscribed because I've
tried to set up snort2pf and of course I haven't succeeded (or I won't
be posting here, eheh).
Basically, for those that don't know it, snort2pf watches Snort alert
file and blocks offending hosts with the following piece of Perl code:
# open( PFCTL, "| $pfctl -a snort2pf/$ipaddr -f -" )
# or warn("Can't block $ipaddr($!)\n");
# print PFCTL "block in quick from $ipaddr to any\n";
# close(PFCTL) or die("Can't write to pfctl pipe($!)\n");
Or, IOW:
# echo "block in quick from $ipaddr to any" | pfctl -a snort2pf/$ipaddr -f -
I've added the following line to my pf.conf among the filter rules:
# anchor "snort2pf/*"
But, it doesn't work. What's puzzling me utterly is that I don't see
it when I use the following command:
# root# pfctl -a '*' -sr
# ...
# anchor '*' all {
# pfctl: DIOCGETRULES: Invalid argument
# }
# ...
However, it seems that I can see the "snort2pf" anchor with:
# root# pfctl -s A
# snort2pf
And if my memory serves me correctly, I also can see sub-anchors with:
# root# pfctl -s A -v
# snort2pf
# snort2pf/10.0.0.1
These informations are dug up from my memory from a few hours ago.
I think they are mostly correct but I will double check them tomorrow at
work and let you know if I have something to correct or add.
Meanwhile, if you think you get the reason for this puzzling behaviour
(which I suspect to be something I've missed, although a quick search in
the archive didn't spot anything) or if you need more information then
please let me know.
Thank you.
Best regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
