From owner-freebsd-net@FreeBSD.ORG Fri Feb 20 08:27:15 2009 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 163131065670 for ; Fri, 20 Feb 2009 08:27:15 +0000 (UTC) (envelope-from lstewart@room52.net) Received: from lauren.room52.net (lauren.room52.net [210.50.193.198]) by mx1.freebsd.org (Postfix) with ESMTP id 9E0FB8FC08 for ; Fri, 20 Feb 2009 08:27:14 +0000 (UTC) (envelope-from lstewart@room52.net) Received: from lstewart.caia.swin.edu.au (lstewart.caia.swin.edu.au [136.186.229.95]) (authenticated bits=0) by lauren.room52.net (8.14.3/8.14.3) with ESMTP id n1K84oZL035494 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 20 Feb 2009 19:04:56 +1100 (EST) (envelope-from lstewart@room52.net) Message-ID: <499E641D.1060605@room52.net> Date: Fri, 20 Feb 2009 19:04:45 +1100 From: Lawrence Stewart User-Agent: Thunderbird 2.0.0.19 (X11/20090213) MIME-Version: 1.0 To: Bakul Shah References: <20090220055936.035255B1B@mail.bitblocks.com> In-Reply-To: <20090220055936.035255B1B@mail.bitblocks.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.4 required=5.0 tests=AWL,BAYES_00,SPF_NEUTRAL autolearn=disabled version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on lauren.room52.net Cc: net@freebsd.org Subject: Re: A more pliable firewall X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2009 08:27:15 -0000 Bakul Shah wrote: > I am wondering if there is a more dynamic and scriptable > firewall program. The idea is to send it alerts (with sender > host address) whenever a dns probe fails or ssh login fails > or smtpd finds it has been fed spam or your website is fed > bad urls. This program will then update the firewall after a > certain number of attempts have been made from a host within > a given period. > > Right now, when I find bad guys blasting packets at me, I add > a rule to pf.conf to drop all packets from these hosts but > all this manual editing is getting old and the internet is > getting more and more like the Wild West crossed with the > Attack of the Zombies. It's a fairly crude solution and doesn't address a lot of the features you mention, but I do this with PF on many of my FreeBSD machines (tuning the various timeout and connection rates as appropriate): # Drop packets from hosts trying to spam us with connections. # We rehabilitate this list by calling # "pfctl -t bad_hosts -T expire 600" from cron every few mins block drop in quick on $wan_if from # Allow TCP connections from the outside world to: # ssh (port 22) # https (port 443) # Attempting to connect more than 5 times in 30 seconds # will put you in the bad books for a while pass in quick on $wan_if inet proto tcp from any to ($wan_if) port { 22, 443 } keep state (max-src-conn-rate 5/30, overload flush global) It does a surprisingly good job at stopping a majority of cruft ending up in my security logs, and the rehabilitation via cron ensures any false positives don't require manual intervention to remove the offending IP(s) from the black list. There are also of course many options in ports, some of which are very sophisticated (e.g. snort, bro). Cheers, Lawrence