/etc/ipf.conf - ipfilter

nanard nanard at crystunix.com
Sat Dec 20 12:57:14 PST 2003


I use IPF with Snort, and Guardian.
Snort detects when there are port scan and Guardian adds the ip attacker to

Snort is in ports tree.
Guardian is free on http://www.chaotic.org/guardian/

To works with IPF, i had to change my IPF configuration:

At the beginning on my rules, i put this:
pass in from any to any keep state head 10

Then i ve my rules which block by default.
For instance,

#---------------- IN ICMP (30) - tl0 ---------- #
block in log proto icmp all head 30
pass in quick proto icmp from any to X.Y.Z.W icmp-type 11 group 30
pass in quick proto icmp from A.B.C.D to X.Y.Z.W  group 30
idem for OUT, and for IN/TCP, OUT/TCP, etc

Then guardian, when it added an ip, it calls a script that i modified to be
in group 10:

echo "block in log $options on $interface from $source to any group 10" |
/sbin/ipf -f -

You can say to Guardian the time for a deny ip and the trusted ip.
It s useful in the case of the attacker spoof your gateway for instance (it
wont block it).

I hope it can help you.

----- Original Message ----- 
From: "Arie J. Gerszt" <arie at gerszt.ch>
To: <freebsd-isp at freebsd.org>
Sent: Friday, December 19, 2003 10:17 PM
Subject: /etc/ipf.conf - ipfilter

> hi,
> i was just about to configure and fine tune mit /etc/ipf.conf and
> what kind of settings you use on your servers.
> is anybody interested in exchanging about this topic?
> thanks,
> arie
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"

More information about the freebsd-isp mailing list