Date: Sat, 21 Feb 2009 00:30:02 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Artyom Viklenko <artem@aws-net.org.ua> Cc: Bakul Shah <bakul@bitblocks.com>, net@freebsd.org Subject: Re: A more pliable firewall Message-ID: <20090220235840.I46613@sola.nimnet.asn.au> In-Reply-To: <alpine.BSF.2.00.0902201024090.18688@nys.njf-arg.bet.hn> References: <20090220055936.035255B1B@mail.bitblocks.com> <alpine.BSF.2.00.0902201024090.18688@nys.njf-arg.bet.hn>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 20 Feb 2009, Artyom Viklenko wrote: > On Thu, 19 Feb 2009, Bakul Shah wrote: > > > I am wondering if there is a more dynamic and scriptable > > firewall program. The idea is to send it alerts (with sender > > host address) whenever a dns probe fails or ssh login fails > > or smtpd finds it has been fed spam or your website is fed > > bad urls. This program will then update the firewall after a > > certain number of attempts have been made from a host within > > a given period. > > > > Right now, when I find bad guys blasting packets at me, I add > > a rule to pf.conf to drop all packets from these hosts but > > > Actually, you can use tables and add these ip-s to tables > while leave pf.conf untouchable. The only thing to resolv > is to write some daemon which will receive notifyes and update > pf tables. It should be not so hard to write such piece > of software. /usr/ports/security/fwlogwatch DESCRIPTION fwlogwatch produces Linux ipchains, Linux netfilter/iptables, Solaris/BSD/Irix/HP-UX ipfilter, ipfw, Cisco IOS, Cisco PIX, NetScreen, Windows XP firewall, Elsa Lancom router and Snort IDS log summary reports in plain text and HTML form and has a lot of options to analyze and display relevant patterns. It can produce customizable incident reports and send them to abuse contacts at offending sites or CERTs. Finally, it can also run as daemon (with web interface) doing realtime log monitoring and reporting anomalies or starting attack countermea- sures. I notice it doesn't mention pf, but it might be worth checking out; it calls your scripts on detection by various rules and looks customisable. Thanks to Michael Butler, who pointed out how to add table entries with it, with a timestamp value allowing removal of 'stale' entries by cron. > > all this manual editing is getting old and the internet is > > getting more and more like the Wild West crossed with the > > Attack of the Zombies. Indeed. Having lots of fun with ipfw tables here, most lately detecting and so ceasing participation in forged-source DNS amplification attacks. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090220235840.I46613>