From owner-freebsd-pf@FreeBSD.ORG Tue Jan 10 09:37:37 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 25D8E16A41F for ; Tue, 10 Jan 2006 09:37:37 +0000 (GMT) (envelope-from solinym@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C10D43D4C for ; Tue, 10 Jan 2006 09:37:27 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by wproxy.gmail.com with SMTP id i14so114729wra for ; Tue, 10 Jan 2006 01:37:27 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=OdXy4JZgAlZR0xxgHNPmcAWAeSrlHjQQLSdsWGRcrzYIzbBNmlheUBOM1BqWJkPmdynoEme7m8rcpUsupxVNi5+iiTzWWXT+U1f+EO9GKBsh4qMdgrIJ7QYQygI90LyKDYunyK3vNDiRJzpgZM7zOsUnDmyDcHDyEM1Jn1OLA7U= Received: by 10.54.136.13 with SMTP id j13mr552842wrd; Tue, 10 Jan 2006 01:37:27 -0800 (PST) Received: by 10.54.79.3 with HTTP; Tue, 10 Jan 2006 01:37:27 -0800 (PST) Message-ID: Date: Tue, 10 Jan 2006 03:37:27 -0600 From: "Travis H." To: Forrest Aldrich In-Reply-To: <43BEBBC9.8070203@forrie.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <43BEBBC9.8070203@forrie.com> Cc: freebsd-pf@freebsd.org Subject: Re: Useful utilities for PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jan 2006 09:37:37 -0000 I'm going to do a little blatant self-promotion and suggest that you also take a look at dfd_keeper because it implements time-based rule expiration, among other things. Its main purpose is to provide a sort of command shell for pf, but you get a bunch of other things along the way. It is trivial to do things like trigger rule changes in response to snort alerts, or using a logwatching program to detect people attempting to brute-force ssh authentication. I was also planning to add some kind of IP consolidation/generalization routines so that some attacker hopping around in a /16 won't be able to harass you 65534 times. Also in the works is a sniffer that will do things like rdr bittorrent ports from your NAT box to an internal host when that host starts up bittorrent.=20 When nobody's using bittorrent, you can go back to stealth mode (as a forwarded port typically gives an open or closed response, you cannot easily do non-leeching bittorrent and remain invisible). You can download the program or view the source at my homepage below (first link, dynamic firewall daemon). For some reason, DFD has failed to generate any interest at all, but I'm not quite sure why. -- "If I could remember the names of these particles, I would have been a bota= nist" -- Enrico Fermi -><- http://www.lightconsulting.com/~travis/ GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B