From owner-freebsd-questions Mon Aug 20 7:28:19 2001 Delivered-To: freebsd-questions@freebsd.org Received: from rush.telenordia.se (mail.telenordia.se [194.213.64.42]) by hub.freebsd.org (Postfix) with SMTP id 76C6437B406 for ; Mon, 20 Aug 2001 07:28:13 -0700 (PDT) (envelope-from mark.rowlands@minmail.net) Received: (qmail 16323 invoked from network); 20 Aug 2001 16:28:12 +0200 Received: from bb-62-5-36-29.bb.tninet.se (HELO pcmarpxy.tninet.se) (62.5.36.29) by mail.telenordia.se with SMTP; 20 Aug 2001 16:28:12 +0200 Content-Type: text/plain; charset="iso-8859-1" From: Mark Rowlands To: Kris Kennaway , default - Subscriptions Subject: Re: Would like suggestion for an app to write IPFW rules... Date: Mon, 20 Aug 2001 16:28:21 +0200 X-Mailer: KMail [version 1.2] Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG References: <20010820053709.A98564@xor.obsecurity.org> In-Reply-To: <20010820053709.A98564@xor.obsecurity.org> MIME-Version: 1.0 Message-Id: <01082016282101.04869@pcmarpxy.tninet.se> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Monday 20 August 2001 14:37, Kris Kennaway wrote: > On Mon, Aug 20, 2001 at 06:02:36AM -0500, default - Subscriptions wrote: > > Hi, > > > > I am looking for something to enhance my IPFW firewall... (or would take > > any other firewall under consideration if there is one that comes > > suggested for this type of application) I would like a suggestion on what > > would be a good program to detect attacks such as DOSes, port scans, > > etc., that is capable of writing IPFW on the fly to block the source of > > the attacks... > > > > I believe that Snort can do this, but I am not very familiar with this > > kind of firewall so... > > Can be a dangerous idea, since it's usually trivial to spoof an > "attack" coming from a critical server like your DNS servers, and > cause your system to deny itself from the internet. If you have a > 'default to deny' firewall and a sensible security policy for the > remaining enabled ports then an active response doesn't really buy you > anything anyway. > > Kris but it feels soooooo good :-) seriously though......active response ....bad...you really have no idea whether you are hitting a bad guy or an innocent dupe or even yourself without very big exclude lists....and those will need maintaining ...ussch. snort is very good, it does not actively respond although there is a plugin you can use for that and it is very easy to deploy and comes with some very nice analysis tools these days. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message