Re: /etc/ipf.conf - ipfilter

• Previous message: nanard: "Re: /etc/ipf.conf - ipfilter"
• In reply to: Arie J. Gerszt: "/etc/ipf.conf - ipfilter"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: "Arie J. Gerszt" <arie@gerszt.ch>, <freebsd-isp@freebsd.org>
Date: Sat, 20 Dec 2003 19:17:11 +0100

Hi,

I use IPF with Snort, and Guardian.
Snort detects when there are port scan and Guardian adds the ip attacker to
IPF.

Snort is in ports tree.
Guardian is free on http://www.chaotic.org/guardian/

To works with IPF, i had to change my IPF configuration:

At the beginning on my rules, i put this:
pass in from any to any keep state head 10

Then i ve my rules which block by default.
For instance,

#---------------- IN ICMP (30) - tl0 ---------- #
block in log proto icmp all head 30
pass in quick proto icmp from any to X.Y.Z.W icmp-type 11 group 30
pass in quick proto icmp from A.B.C.D to X.Y.Z.W group 30
#----------------------------------#
idem for OUT, and for IN/TCP, OUT/TCP, etc

Then guardian, when it added an ip, it calls a script that i modified to be
in group 10:

echo "block in log $options on $interface from $source to any group 10" |
/sbin/ipf -f -

You can say to Guardian the time for a deny ip and the trusted ip.
It s useful in the case of the attacker spoof your gateway for instance (it
wont block it).

I hope it can help you.

Regards,
----- Original Message -----
From: "Arie J. Gerszt" <arie@gerszt.ch>
To: <freebsd-isp@freebsd.org>
Sent: Friday, December 19, 2003 10:17 PM
Subject: /etc/ipf.conf - ipfilter

> hi,
>
> i was just about to configure and fine tune mit /etc/ipf.conf and
wondered,
> what kind of settings you use on your servers.
>
> is anybody interested in exchanging about this topic?
>
>
> thanks,
> arie
>
> _______________________________________________
> freebsd-isp@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
>

_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"

• Previous message: nanard: "Re: /etc/ipf.conf - ipfilter"
• In reply to: Arie J. Gerszt: "/etc/ipf.conf - ipfilter"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: Using Snort to update ACL on Cisco Router ... Guardian Active Response for Snort ... automaticly update firewall rules based on alerts generated by Snort. ... New block/unblock scripts! ... (comp.security.firewalls) Re: apache being bombarded ... What i did was to set up snort + guardian. ... > one of my apache servers is being bombarded by some IPs (in different ... > BTW ive put that IPs in my /etc/hosts.deny still no joy. ... (Security-Basics) Re: /etc/ipf.conf - ipfilter ... I use IPF with Snort, and Guardian. ... Snort detects when there are port scan and Guardian adds the ip attacker to ... (freebsd-isp) Re: /etc/ipf.conf - ipfilter ... I use IPF with Snort, and Guardian. ... Snort detects when there are port scan and Guardian adds the ip attacker to ... (freebsd-isp) Re: /etc/ipf.conf - ipfilter ... I use IPF with Snort, and Guardian. ... Snort detects when there are port scan and Guardian adds the ip attacker to ... (freebsd-isp)