From owner-freebsd-net@FreeBSD.ORG Fri Feb 20 20:50:04 2009 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 87B9D1065686 for ; Fri, 20 Feb 2009 20:50:04 +0000 (UTC) (envelope-from bakul@bitblocks.com) Received: from mail.bitblocks.com (bitblocks.com [64.142.15.60]) by mx1.freebsd.org (Postfix) with ESMTP id 6C0C18FC13 for ; Fri, 20 Feb 2009 20:50:04 +0000 (UTC) (envelope-from bakul@bitblocks.com) Received: from bitblocks.com (localhost.bitblocks.com [127.0.0.1]) by mail.bitblocks.com (Postfix) with ESMTP id 301AB5B3E for ; Fri, 20 Feb 2009 12:50:02 -0800 (PST) To: net@freebsd.org In-reply-to: Your message of "Sat, 21 Feb 2009 00:30:02 +1100." <20090220235840.I46613@sola.nimnet.asn.au> References: <20090220055936.035255B1B@mail.bitblocks.com> <20090220235840.I46613@sola.nimnet.asn.au> Date: Fri, 20 Feb 2009 12:50:02 -0800 From: Bakul Shah Message-Id: <20090220205003.301AB5B3E@mail.bitblocks.com> Cc: Subject: Re: A more pliable firewall X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2009 20:50:05 -0000 Thanks to everyone who responded. Looks like all the pieces to do this exist. All I have to do is to package it all in one program "sheriff" that watches various log files and pulls the trigger on the bad guy(s) at appropriate time. I think I will add a program to keep running stats on *all* the tcp/udp senders to find all those annoyingly pesky repeat senders who have no business talking to my network. What would be nice is a standard interface to report suspicious failures (sort of like syslog). If the same guy sends N DNS requests for the same thing and every request fails, chances are he is a bad guy (or a zombie acting on behalf of one). Perhaps some day a trusted network of such daemons can be used to "back pressure" the closest ISP to the sender -- who can then shut him down for a while.