From owner-freebsd-net@FreeBSD.ORG Fri Feb 20 13:43:07 2009 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 175AB1065672 for ; Fri, 20 Feb 2009 13:43:07 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [220.233.188.227]) by mx1.freebsd.org (Postfix) with ESMTP id 69A2F8FC08 for ; Fri, 20 Feb 2009 13:43:06 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id n1KDU2CB055872; Sat, 21 Feb 2009 00:30:03 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 21 Feb 2009 00:30:02 +1100 (EST) From: Ian Smith To: Artyom Viklenko In-Reply-To: Message-ID: <20090220235840.I46613@sola.nimnet.asn.au> References: <20090220055936.035255B1B@mail.bitblocks.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: Bakul Shah , net@freebsd.org Subject: Re: A more pliable firewall X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2009 13:43:07 -0000 On Fri, 20 Feb 2009, Artyom Viklenko wrote: > On Thu, 19 Feb 2009, Bakul Shah wrote: > > > I am wondering if there is a more dynamic and scriptable > > firewall program. The idea is to send it alerts (with sender > > host address) whenever a dns probe fails or ssh login fails > > or smtpd finds it has been fed spam or your website is fed > > bad urls. This program will then update the firewall after a > > certain number of attempts have been made from a host within > > a given period. > > > > Right now, when I find bad guys blasting packets at me, I add > > a rule to pf.conf to drop all packets from these hosts but > > > Actually, you can use tables and add these ip-s to tables > while leave pf.conf untouchable. The only thing to resolv > is to write some daemon which will receive notifyes and update > pf tables. It should be not so hard to write such piece > of software. /usr/ports/security/fwlogwatch DESCRIPTION fwlogwatch produces Linux ipchains, Linux netfilter/iptables, Solaris/BSD/Irix/HP-UX ipfilter, ipfw, Cisco IOS, Cisco PIX, NetScreen, Windows XP firewall, Elsa Lancom router and Snort IDS log summary reports in plain text and HTML form and has a lot of options to analyze and display relevant patterns. It can produce customizable incident reports and send them to abuse contacts at offending sites or CERTs. Finally, it can also run as daemon (with web interface) doing realtime log monitoring and reporting anomalies or starting attack countermea- sures. I notice it doesn't mention pf, but it might be worth checking out; it calls your scripts on detection by various rules and looks customisable. Thanks to Michael Butler, who pointed out how to add table entries with it, with a timestamp value allowing removal of 'stale' entries by cron. > > all this manual editing is getting old and the internet is > > getting more and more like the Wild West crossed with the > > Attack of the Zombies. Indeed. Having lots of fun with ipfw tables here, most lately detecting and so ceasing participation in forged-source DNS amplification attacks. cheers, Ian