From owner-freebsd-net@FreeBSD.ORG Fri Jun 6 01:42:04 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F7D837B401 for ; Fri, 6 Jun 2003 01:42:04 -0700 (PDT) Received: from pasmtp.tele.dk (pasmtp.tele.dk [193.162.159.95]) by mx1.FreeBSD.org (Postfix) with ESMTP id B41B443F3F for ; Fri, 6 Jun 2003 01:42:03 -0700 (PDT) (envelope-from krask@isupport.dk) Received: from pc100 (0x50a3814c.unknown.tele.dk [80.163.129.76]) by pasmtp.tele.dk (Postfix) with SMTP id 38A7C1EC4B4 for ; Fri, 6 Jun 2003 10:42:02 +0200 (CEST) Message-ID: <007601c32c06$9e242260$0a01a8c0@example.lan> From: "Kristian Rask" To: Date: Fri, 6 Jun 2003 10:34:19 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Subject: Choices for security X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jun 2003 08:42:04 -0000 Hi In the ongoing saga a new question arises... Presently the system is configured as follows 100 MBit WAN <--> FreeBSD Gateway <--> /28 DMZ-Net incl. 2 MS-IIS ipfw is used to make basic protection for the Windows 2000 / IIS servers ipfw is used kill setups from certain IP's to DMZ/28 80,443 snort is listening for 80,443 setups on DMZ and logging to a MySQL = server A script at regular intervals asks MySql for identical src-ip's that = returns more than LIMIT records.=20 The script then produces ipfw rules and inserts them. After this the = script removes all previously registered records from the database (so that the DB = doesnt keep growing) The script does a "ipfw show" and looks at the relevant records for nr = of attempt and traffic amount. Based on this the script removes records = from the rulesets when traffic drops to a certain level.=20 ipfw zeroes the relevant blocking rules so that a new period of traffic = measuring and blocking can start All of the above is being done at the moment and most of it is automatic = by now. However it seems to me to be overkill ....=20 Does anyone have an idea as to how one measures the IP traffic types in = realtime ?=20 Another thing that has me wondering is something that would look kinda = like route aggregation... like... if i have more than X registrations of certified bad boys pr. Y = bits of network.. i would like to detect this and recreate a network rule instead of a handfull of host = rules.. eg.: If i detect say 16+ rules belonging to the same /24 then i would like to = detect this and replace the 16+ rules with 1 rule for the entire /26. = The basic idea is to reduce the number of rules in the firewall for = performance reasons. Reviewing the last 3 days log files of ipfw rules shows a lot of cases = where 10 - 20 machines came from a very narrow range of IP's. I'm not asking anyone to invent the above... but if somebody has = pointers to algorithms that will work well in the above scenario, i = would be gratefull to know about them. any and all input on the problem much appreciated.. Regards & TIA Kristian