/etc/ipf.conf - ipfilter
nanard at crystunix.com
Sat Dec 20 12:57:14 PST 2003
I use IPF with Snort, and Guardian.
Snort detects when there are port scan and Guardian adds the ip attacker to
Snort is in ports tree.
Guardian is free on http://www.chaotic.org/guardian/
To works with IPF, i had to change my IPF configuration:
At the beginning on my rules, i put this:
pass in from any to any keep state head 10
Then i ve my rules which block by default.
#---------------- IN ICMP (30) - tl0 ---------- #
block in log proto icmp all head 30
pass in quick proto icmp from any to X.Y.Z.W icmp-type 11 group 30
pass in quick proto icmp from A.B.C.D to X.Y.Z.W group 30
idem for OUT, and for IN/TCP, OUT/TCP, etc
Then guardian, when it added an ip, it calls a script that i modified to be
in group 10:
echo "block in log $options on $interface from $source to any group 10" |
/sbin/ipf -f -
You can say to Guardian the time for a deny ip and the trusted ip.
It s useful in the case of the attacker spoof your gateway for instance (it
wont block it).
I hope it can help you.
----- Original Message -----
From: "Arie J. Gerszt" <arie at gerszt.ch>
To: <freebsd-isp at freebsd.org>
Sent: Friday, December 19, 2003 10:17 PM
Subject: /etc/ipf.conf - ipfilter
> i was just about to configure and fine tune mit /etc/ipf.conf and
> what kind of settings you use on your servers.
> is anybody interested in exchanging about this topic?
> freebsd-isp at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
More information about the freebsd-isp