From owner-freebsd-pf@FreeBSD.ORG Thu Aug 4 20:59:53 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE39A16A41F for ; Thu, 4 Aug 2005 20:59:52 +0000 (GMT) (envelope-from brent.bolin@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6842243D46 for ; Thu, 4 Aug 2005 20:59:52 +0000 (GMT) (envelope-from brent.bolin@gmail.com) Received: by wproxy.gmail.com with SMTP id i22so486128wra for ; Thu, 04 Aug 2005 13:59:51 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:references; b=DoK5jIGcZTArWCNyThEd1ZTk8nrgBg+3H3poyTap4dHxQ0pAq301kmjRUsEr3ZeJIlxcubeMm3p53rEHWcbg1LmFJxAu3kcOahd1A8kO4bhCvcQYNmopGLqP2bewe7mq82fOHHAPlwsxJIZ9xg1qyfBW8R0zDC7D96fXBJFhLJM= Received: by 10.54.30.27 with SMTP id d27mr1876989wrd; Thu, 04 Aug 2005 13:59:51 -0700 (PDT) Received: by 10.54.117.11 with HTTP; Thu, 4 Aug 2005 13:59:51 -0700 (PDT) Message-ID: <787dcac2050804135922e97d80@mail.gmail.com> Date: Thu, 4 Aug 2005 15:59:51 -0500 From: BB To: freebsd-pf@freebsd.org In-Reply-To: <42F28B79.1030202@tirloni.org> Mime-Version: 1.0 References: <787dcac2050803142433b8d084@mail.gmail.com> <42F28B79.1030202@tirloni.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Can pf dynamicly close connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: BB List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Aug 2005 20:59:53 -0000 One of the sites that I maintain is moving to a different firewall. WatchGuard Firebox X1000. None of the full time admins can work with vi for= =20 system changes. This is a feature on the firewall. If attempts are made on ports that are= =20 close, all ports will be blocked for about 20 minutes. Don't know if the feature mentioned above is good or bad. On 8/4/05, Giovanni P. Tirloni wrote: >=20 > BB wrote: > > If a host is sending packets on ports that aren't even open can it > > temporarily close all connections to this host. >=20 > I don't think this a task pf itself should do but you can implement > something to monitor connections attemps on closed ports and then > inspect the pf's state table (pfctl -s state) and remove it (pfctl -k). >=20 > Do you want something like PortSentry ? Someone could spoof those > attempts and create a DoS on something you don't want to block. >=20 > -- > Giovanni P. Tirloni >=20 >