Rogue access points

mikenl

yes, even if i take the table out of the rule like :

rdr on xl1 from any to any -> 10.20.7.1 port 81

or whatever combo i allways get an error.

Ok the error is :
Rules must be in order: options, normalization, queueing, translation, filteringpfctl

So my guess is the rule is inserted in the wrong place.

eri--

Oh :), you have to place it before any filter(pass/block) rule and after any traffic shaper rule.

So the pf ruleset look like:
1- set statements
2- macro, table definitions
3- QoS rules
4- RDR/NAT/BINAT rules
5- Filer rules

If you have ftp-proxy active you should have rdr rules there, so place the rdr rule after those and you should be ok.

mikenl

Ok, done,
Right now im testing it in a live setup.

I'll report back my findings soon.

eri--

Consider making this a package so you do not have to mackle with scripts next time.
I will review/help/commit this package if at least half the work is done.

eri--

Thx for the support anyway!!!!!

mikenl

I was away for a few days, but left the setup running, and seems to be very stable.
Next i'm learning about creating packages, wich seems quite a task.
I'll do my best to create this into a package, may take a while though.
I'm still working on it !

eri--

Most of it is an xml file and an include doing verification and data saving.

Find the simplest port copy over its files and it should be straight forward… :)

buraglio

This seems like something (like flow data) that could be useful in the base system.  It's footprint is fairly small (although I'd need to look at cpu consumption).  Thoughts?

nb

eri--

Yeah i though of writing a package for it as a tutorial and see if it has the audience to get in base.

mikenl

I was in an accident and have been in the hospital for a while.
I haven't got the time now to create a package.
In a few weeks, i think i'm starting to work again,
and hope to pick up on things like this. If there are people who are interested.
I hope you understand.

In the mean time i can give you my notes to get it all working manually.

-install p0f
-install shttpd
-create a webpage for blocked clients.

<< create script for adding blocked ip's in /usr/local/bin/p0fcron.sh

First flush the table of blocked clients.

pfctl -t p0f -Tflush

Then add new detected clients to the table.

awk < /var/log/p0f.txt '{gsub(/[:]/, ""); printf"\n" $9}' | awk '! a[$0]++' |while read data; do pfctl -t p0f -Tadd $data
done

Last flush the p0f created file.

cat /dev/null > /var/log/p0f.txt

<< add cronjob to /conf/config.xml adding and deleting ip's every 10 minutes
<task_name>p0f</task_name>
<minute>/10</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday>*</wday>
<who>root</who>
<command></command>/usr/local/bin/p0fcron.sh

<< filter: add rederict rule for blocked ip's in /etc/inc/filter.inc
$natrules .= "# p0f\n";
$natrules .= "table <p0f>persist\n";
$natrules .= "rdr on xl1 proto tcp from <p0f>to any -> 10.20.7.1 port 81\n";

<< create startup script /usr/local/etc/rc.d/p0f.sh
<< -i xl1 is the interface to listen on
<< -T is the threshold
chmod 0755

---

#!/bin/sh
echo -n ' p0f '

case "$1" in
start)
        /usr/local/bin/p0f -i xl1 -MKU -T 33 -d -o /var/log/p0f.txt
        ;;
stop)
        kill -9 cat /var/run/p0f.pid
        ;;
*)

esac

exit 0

<< create startup script /usr/local/etc/rc.d/p0f.sh
chmod 0755

---

#!/bin/sh
echo -n ' shttpd '

case "$1" in
start)
        /usr/local/bin/shttpd -p 81 -d /usr/local/www/p0f -l /var/log/shttpd.log
        ;;
stop)
        kill -9 cat /var/run/shttpd.pid
        ;;
*)

esac

exit 0</p0f></p0f>