From owner-freebsd-stable@FreeBSD.ORG Thu Jun 10 20:37:50 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA97816A4CE for ; Thu, 10 Jun 2004 20:37:50 +0000 (GMT) Received: from luskan.oddworld.com (luskan.oddworld.com [205.162.246.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id B4B0D43D55 for ; Thu, 10 Jun 2004 20:37:50 +0000 (GMT) (envelope-from khoi@oddworld.com) Received: from hercules ([192.168.1.40]) by luskan.oddworld.com (Netscape Messaging Server 4.15) with ESMTP id HZ41B200.02Y; Thu, 10 Jun 2004 13:37:50 -0700 From: "Khoi Dinh" To: "'Chuck Swiger'" Date: Thu, 10 Jun 2004 13:37:49 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 In-Reply-To: <40C8BDAA.9040301@mac.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Thread-Index: AcRPJXlCHBw9xA1iSViF3rZxVmuEmgABM4lQ Message-ID: cc: freebsd-stable@freebsd.org Subject: RE: Port scan detection in ipfw2 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: khoi@oddworld.com List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jun 2004 20:37:51 -0000 Excellent! This is what I need. The hint leads me to changing "net.inet.icmp.icmplim" accordingly. Thanks! Khoi -----Original Message----- From: Chuck Swiger [mailto:cswiger@mac.com] Sent: Thursday, June 10, 2004 1:00 PM To: khoi@oddworld.com Cc: freebsd-stable@freebsd.org Subject: Re: Port scan detection in ipfw2 Khoi Dinh wrote: > This is a repost and I was hoping there might be a solution to this. > I was wondering if ipfw2 has the ability to detect port scan like > iptables with the psd module. I'm looking for a kernel-based > solution, not app-based like portsentry. ipfw performs packet inspection and it can certainly recognize the traffic associated with a port scan, yes. The kernel provides support for limiting the generation of ICMP error messages, which is what happens when someone port scans a bunch of closed ports. What else did you want to do? > Also, is ipfw2 able to allow/disallow traffic according to time? ie. > If I wanted to allow http traffic only from 9am to 1pm, can I do this > with ipfw? IPFW and IPFW2 have no notion of time, but one could very easily use cron to change your firewall rulesets at specific times in order to accomplish what you've asked for. -- -Chuck