Re: A more pliable firewall

On Fri, 20 Feb 2009, Artyom Viklenko wrote:
On Thu, 19 Feb 2009, Bakul Shah wrote:

I am wondering if there is a more dynamic and scriptable
firewall program. The idea is to send it alerts (with sender
host address) whenever a dns probe fails or ssh login fails
or smtpd finds it has been fed spam or your website is fed
bad urls. This program will then update the firewall after a
certain number of attempts have been made from a host within
a given period.

Right now, when I find bad guys blasting packets at me, I add
a rule to pf.conf to drop all packets from these hosts but


Actually, you can use tables and add these ip-s to tables
while leave pf.conf untouchable. The only thing to resolv
is to write some daemon which will receive notifyes and update
pf tables. It should be not so hard to write such piece
of software.

/usr/ports/security/fwlogwatch

DESCRIPTION
fwlogwatch produces Linux ipchains, Linux netfilter/iptables,
Solaris/BSD/Irix/HP-UX ipfilter, ipfw, Cisco IOS, Cisco PIX, NetScreen,
Windows XP firewall, Elsa Lancom router and Snort IDS log summary
reports in plain text and HTML form and has a lot of options to analyze
and display relevant patterns. It can produce customizable incident
reports and send them to abuse contacts at offending sites or CERTs.
Finally, it can also run as daemon (with web interface) doing realtime
log monitoring and reporting anomalies or starting attack countermea-
sures.

I notice it doesn't mention pf, but it might be worth checking out; it
calls your scripts on detection by various rules and looks customisable.

Thanks to Michael Butler, who pointed out how to add table entries with
it, with a timestamp value allowing removal of 'stale' entries by cron.

all this manual editing is getting old and the internet is
getting more and more like the Wild West crossed with the
Attack of the Zombies.

Indeed. Having lots of fun with ipfw tables here, most lately detecting
and so ceasing participation in forged-source DNS amplification attacks.

cheers, Ian
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: A more pliable firewall
    ... firewall program. ... host address) whenever a dns probe fails or ssh login fails ... certain number of attempts have been made from a host within ... Right now, when I find bad guys blasting packets at me, I add ...
    (freebsd-net)
  • Re: A more pliable firewall
    ... firewall program. ... host address) whenever a dns probe fails or ssh login fails ... certain number of attempts have been made from a host within ...
    (freebsd-net)
  • Re: A more pliable firewall
    ... firewall program. ... host address) whenever a dns probe fails or ssh login fails ... certain number of attempts have been made from a host within ... The pftabled daemon is a small helper to make your pf ...
    (freebsd-net)
  • Re: A more pliable firewall
    ... firewall program. ... host address) whenever a dns probe fails or ssh login fails ... certain number of attempts have been made from a host within ... The pftabled daemon is a small helper to make your pf ...
    (freebsd-net)
  • Re: Host Computer with ICS cannot be accessed
    ... I have the Main (Host) computer with XP SP1 which is the ICS computer on a ... firewall settings, not that I've found so far, but I'll keep looking. ... >>connection, I can check or uncheck the firewall setting to allow others on ... Is there a way I can tell my Host server to allow the Client ...
    (microsoft.public.windowsxp.network_web)