From owner-freebsd-stable@FreeBSD.ORG Thu Jun 10 18:47:12 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F12B16A4F0 for ; Thu, 10 Jun 2004 18:47:12 +0000 (GMT) Received: from luskan.oddworld.com (luskan.oddworld.com [205.162.246.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 837C943D2D for ; Thu, 10 Jun 2004 18:47:12 +0000 (GMT) (envelope-from khoi@oddworld.com) Received: from hercules ([192.168.1.40]) by luskan.oddworld.com (Netscape Messaging Server 4.15) with ESMTP id HZ3W6C00.M2N; Thu, 10 Jun 2004 11:47:00 -0700 From: "Khoi Dinh" To: "'Paul Mather'" , "'Don Bowman'" Date: Thu, 10 Jun 2004 11:47:00 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 In-Reply-To: <1086874211.9393.32.camel@zappa.Chelsea-Ct.Org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Thread-Index: AcRO8wkaO1qEWsW2TMybDpy7EtBIQQAJ4zBw Message-ID: cc: freebsd-stable@freebsd.org Subject: RE: Port scan detection in ipfw2 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: khoi@oddworld.com List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jun 2004 18:47:12 -0000 Thanks all the responses. I was thinking of the cron solution too but wanted to see if there was something nifty in ipfw that I didn't know about. My main concern is still the port scan detection. I guess there is really no way to set up ipfw to detect port scan. Some users have suggested using user app for this but my firewall is already set up to deny everything except for some specific traffic. Using a user app would not do any good because the application would never see the scan. Thanks again, Khoi -----Original Message----- From: owner-freebsd-stable@freebsd.org [mailto:owner-freebsd-stable@freebsd.org] On Behalf Of Paul Mather Sent: Thursday, June 10, 2004 6:30 AM To: Don Bowman Cc: khoi@oddworld.com; freebsd-stable@freebsd.org Subject: RE: Port scan detection in ipfw2 On Thu, 2004-06-10 at 08:46, Don Bowman wrote: > There was a patch to ipfw posted last year that gave time to rules. Interesting. Does the rule processing of the patch burden all packets with an extra check (for time validity), or just those with a time restraint on the rule? I wonder, also, how "keep-state" rules are handled. Are the time constraints of the "keep-state" rule included with the dynamic rule created from it? (If not, that would mean a packet could be allowed in violation of its time constraint?) Does the syntax of time specification use the local time zone, and, if so, what happens during the switch between daylight savings... ;-) Cheers, Paul. -- e-mail: paul@gromit.dlib.vt.edu "Without music to decorate it, time is just a bunch of boring production deadlines or dates by which bills must be paid." --- Frank Vincent Zappa _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" !DSPAM:40c86900483383735917220!