Date: Sun, 18 Sep 2005 03:25:58 -0500 From: "Travis H." <solinym@gmail.com> To: freebsd-pf@freebsd.org Subject: new pf-related tool: dfd_keeper Message-ID: <d4f1333a05091801252af1934@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hey, Just letting people know that a dynamic firewall daemon, (sort of a command shell for the firewall), is available for FreeBSD & pf. It's called dfd_keeper, and I'm looking for ideas, suggestions, developers, and testers. You can find it here: http://www.lightconsulting.com/~travis/dfd/dfd_keeper/ I'd like to evolve from this into a more complete system. For example: I'd like to integrate it with snort, honeypots, and maybe snortsam. I'd like to have a pcap-based sniffer that invokes commands not related to security incidents... for example active-mode FTP, IRC DCC, talk, p2p applications, etc. I'd like to have a pcap-reading library written in a buffer-safe language that does several things: 1) Decode IPs and TCP/UDP ports, generating "top 100 probed ports", "top 100 blocking rules", etc. over various time periods. 2) Port scan detector, see: http://www.cipherdyne.com/psad/ 3) Statistics for optimization of rules 4) Port knocking, see: http://www.cipherdyne.org/fwknop/ 5) Abuse of network resources (spam, worms, scanning by internal hosts, arp flooding, bandwidth cap overflow, etc.) I'd like to have a web interface which displays: 1) All of the info from the pcap program above 2) The OS fingerprint history of various IPs 3) ifgraph/smokeping output 4) statistics gathered from arpwatch (MAC history of an IP, IP history of a MAC, &c.) 5) Fancy visualizations of the multi-dimensional stastitical information that firewall logs contain: 5a) graphviz 5b) LGL, http://bioinformatics.icmb.utexas.edu/lgl/ 5c) volsuite 5d) OpenQVIS I'd like to have a web interface for toggling/setting firewall rules. Specifically, on/off commands would have a checkbox, multi-mode commands radio buttons, the list-based commands have an "add" text entry field, etc. I'd like to protect the traffic to dfd_keeper with cryptography. I'd like to implement a coherent system of authorization, so that certain hosts/programs/users could access some commands, but not others. Currently the model is "all or nothing". I'd like to add persistence to dfd_keeper so that blocked hosts stay blocked. This will involve some re-structuring due to limitations of python pickling code. I'd like to write an expect script that can shut ports off on managed switches. Combined with the "abuse of resources" detector above, this means no more manually handling worm invasions! Could also implement this with arp spoofing, if not patented by Mirage Networks. All these cooperating packages might be easiest to configure with some custom afterinstall scripts or maybe even a Live! CD distro for an instant "firewall appliance". If you are interested in any of these topics, have suggestions or comments, please email me and ask to be added to my email list. --=20 http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d4f1333a05091801252af1934>