Theo Buehler wrote:

> If I understand correctly, this needs to run as root since the authlog
> script issues pfctl commands.
> 

I have not examined the port very closely, but from a quick glance I 
guess root is not absolutely needed, with some clever engineering.

First of all, if you need reaction to issue a command as root, I think 
you can just create a reaction user, add the corresponding entries to 
/etc/doas.conf, and execute any necessary "reaction" using doas.

You don't even need to add the reaction user to a privilege group in 
order to read logs. Just tweak the syslogd configuration to put the 
stuff you need reaction to cover in a separate file which is readable by 
the reaction user only and you are gold to go.

Just some random thoughts. I am using some cheap ksh scripts myself for 
this sort of thing, heh.