Expiretable is a utility used to remove entries from a pf(4) table based on their age.
The age in question being the amount of time that has passed since the statistics for each entry in the target table was last cleared.
This program needs to be run as a user with read/write permission to /dev/pf. As with all unknown things that need to be run as the superuser or similar there is always the chance this one will cause death and destruction, so use at your own risk. It WorksForMe<tm>, don't blame me if your cat grows another eye, and so on and so forth.
If you find yourself using this utility, especially for a reason not mentioned here, please tell me about it.
The man-page:
- expiretable(1) - Really ugly, but there it is.
Johan Fredin has been nice enough to provide a port for expiretable. He has also put together a how-to on how to use expiretable to block attempts to bruteforce ssh. Be sure to check out the work of Peter N. M. Hansteen on firewalling with PF, especially the section on bruteforcing. 'geek00L' has written a short piece on using Snort2c + Expiretable. Thanks to Samuel Ljungkvist and others for ideas.
The sources:
- expiretable-0.6.tar.gz - Latest version. Added the ability to specify age in minutes, hours, days etc. Changed the age-limit to the limit imposed by OpenBSDs nanosleep(2).
- expiretable-0.5.tar.gz - Daemon-mode, small memory-handling fix and some cleaning of error-messages.
- expiretable-0.4.tar.gz
- expiretable-0.3.tar.gz
- expiretable-0.2.tar.gz
- expiretable-0.1.tar.gz - Same version as that posted on pf@
References:
- Made it into the FreeBSD ports tree as well it seems.
- Well, look at that. It's in the -current OpenBSD ports tree.
- Announcement of the utility.
- The thread on pf@ that gave me the idea.
TODO:
- Add option to expire entries after some time after last match.
- Expire entries after a number of matched packets/transferred bytes.
- Move entries to another table on expire.