From owner-freebsd-pf@FreeBSD.ORG Sun Aug 23 02:57:34 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 43374106568B for ; Sun, 23 Aug 2009 02:57:34 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: from mail-ew0-f209.google.com (mail-ew0-f209.google.com [209.85.219.209]) by mx1.freebsd.org (Postfix) with ESMTP id C759B8FC08 for ; Sun, 23 Aug 2009 02:57:33 +0000 (UTC) Received: by ewy5 with SMTP id 5so23494ewy.36 for ; Sat, 22 Aug 2009 19:57:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to :content-type; bh=A15hSThWIoZjRM8l1GYSL9p1jdejMA++aWH3vFe7l4Q=; b=t59mmqrWkshfyV5VfC/xQtxNy1XxHsvPqyXJP/dcogpAcZfYtYB3qrDKKWOM1Ece8M 2RSSL+GLi7uAxcBh5JZZdPjdU5RRqBnpHGnxf6yjb7/B0+4OJxKJUxe4aOm7DFSAZfkw KZz9ZvDE3AVDZr1NV940QF8iqrQO5WoxXHv4s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; b=Br3G4nN/3W2aKynkVCyEf/qLsDqM73eBsOf7HBfX+I/3JWD6BpNy9gfzoyRuveazjv 1dThCjwworpUkQA16QNdhMFynbWlYETl7Hm+qb+EXtg3h++GkEQs6yduuYl3lTfYYPX9 APORLqup2bytdVJeZMB9RQxc3nGJXLlwfpt+U= MIME-Version: 1.0 Sender: allicient3141@googlemail.com Received: by 10.210.131.5 with SMTP id e5mr2736567ebd.45.1250996252879; Sat, 22 Aug 2009 19:57:32 -0700 (PDT) In-Reply-To: <200908230340125.SM01728@W500.Go2France.com> References: <200908230132343.SM01728@W500.Go2France.com> <200908230340125.SM01728@W500.Go2France.com> Date: Sun, 23 Aug 2009 03:57:32 +0100 X-Google-Sender-Auth: db853cfedc9bb744 Message-ID: <7731938b0908221957g2150a2f0p3263b6cab72bdf81@mail.gmail.com> From: Peter Maxwell To: Len Conrad , freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: Subject: Re: something like bruteblock for pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Aug 2009 02:57:34 -0000 2009/8/23 Len Conrad : > > I'm looking for something like bruteblock that logwatches (smtp, ssh, ftp, whatever) and inserts/removes TCP block rules into pf for x hours, so the protocol daemons are involved. > Are you sure you really need this in the first place? Others may disagree, but the way I see it is pf is a packet filter, your MTA should be dealing with SMTP "attacks". Nonetheless, it's probably fairly trivial to do something like you are requesting. Create your pf ruleset with table(s) and corresponding drop rules. You can then create a simple cron script that parses the logs from your sshd, ftpd, etc and uses pfctl to replace the appropriate table with offending IPs or address ranges. You would probably have to manage timeouts in your scripts as well though. Please note that - in most situations at least - allowing applications in userland to modify firewall rules is a particularly bad idea, for obvious reasons. Good firewall practice would suggest that the box doing packet filtering does that and only that, with all external services placed in a DMZ; if an attacker then comprimises one of your services then they cannot mess about with the firewall rules, or much else for that matter. Before implementing something like this, I would urge caution: if what you're asking was actually of any use, someone else would probably have done it properly. I can't imagine how log entries from an ftp server, say, are going to be related to your smtp server security? If it's a simple connection management, then max-src-conn/max-src-conn-rate might be a more robust solution. Peter