Date: Fri, 4 Apr 2003 07:48:17 -0800 From: Sereciya Kurdistani <sereciya@kurdistan.ath.cx> To: freebsd-ipfw@freebsd.org Subject: Re: IPFW stateful deny question Message-ID: <20030404154817.GA3721@kurdistan.ath.cx> In-Reply-To: <0AF1BBDF1218F14E9B4CCE414744E70F1F3CC3@exchange.wanglobal.net> References: <0AF1BBDF1218F14E9B4CCE414744E70F1F3CC3@exchange.wanglobal.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Sten,
> Thank you for responding!
>
> What I was after was a firewall setup that could block potential hackers for the
> duration of a stateful rule life period when they tried to portscan certain services.
>
> Say if someone tried to access port 80 on box 1.2.3.4 it would match by a firewall rule
> And a stateful deny rule would be setup that would deny all IP packets from that someone.
In that case... you're going to have to set up some kind of check where -- through
a number of skipto's -- where *if* packets coming from a particular ip source matched
all the previous skiptos, then the port would be closed; very very complicated.
I'm guessing it would have to look something like:
ipfw add 1001 check-state
ipfw add 1002 skipto 1004 all from any to any ftp in via ${oif_1} #keep-state?
*ipfw add 1003 skipto 65535 all from any to any in via ${oif_1}
ipfw add 1004 skipto 1006 all from any to any ssh in via ${oif_1} #keep-state?
*ipfw add 1005 skipto 65535 all from any to any in via ${oif_1}
ipfw add 1006 skipto 1008 all from any to any http,https in via ${oif_1} keep-state
*Using the skipto's to keep from another packet that did not match the previous checks
to jump in. All packets that hit the keep-state must have passed by *all* previous
skiptos.
Hope that helps Sten, that's the best I can do at the moment ;)
You have certainly started me thinking about a solution, Good Luck!
-Sereciya Kurdistani
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030404154817.GA3721>