A more pliable firewall

Ian Smith smithi at nimnet.asn.au
Fri Feb 20 05:43:07 PST 2009 

On Fri, 20 Feb 2009, Artyom Viklenko wrote:
 > On Thu, 19 Feb 2009, Bakul Shah wrote:
 > 
 > > I am wondering if there is a more dynamic and scriptable
 > > firewall program.  The idea is to send it alerts (with sender
 > > host address) whenever a dns probe fails or ssh login fails
 > > or smtpd finds it has been fed spam or your website is fed
 > > bad urls.  This program will then update the firewall after a
 > > certain number of attempts have been made from a host within
 > > a given period.
 > > 
 > > Right now, when I find bad guys blasting packets at me, I add
 > > a rule to pf.conf to drop all packets from these hosts but
 > 
 > 
 > Actually, you can use tables and add these ip-s to tables
 > while leave pf.conf untouchable. The only thing to resolv
 > is to write some daemon which will receive notifyes and update
 > pf tables. It should be not so hard to write such piece
 > of software.

/usr/ports/security/fwlogwatch

DESCRIPTION
       fwlogwatch   produces   Linux   ipchains,   Linux   netfilter/iptables,
       Solaris/BSD/Irix/HP-UX ipfilter, ipfw, Cisco IOS, Cisco PIX, NetScreen,
       Windows XP firewall, Elsa Lancom  router  and  Snort  IDS  log  summary
       reports in plain text and HTML form and has a lot of options to analyze
       and display relevant patterns. It  can  produce  customizable  incident
       reports  and  send  them to abuse contacts at offending sites or CERTs.
       Finally, it can also run as daemon (with web interface) doing  realtime
       log  monitoring  and reporting anomalies or starting attack countermea-
       sures.

I notice it doesn't mention pf, but it might be worth checking out; it 
calls your scripts on detection by various rules and looks customisable.

Thanks to Michael Butler, who pointed out how to add table entries with 
it, with a timestamp value allowing removal of 'stale' entries by cron.

 > > all this manual editing is getting old and the internet is
 > > getting more and more like the Wild West crossed with the
 > > Attack of the Zombies.

Indeed.  Having lots of fun with ipfw tables here, most lately detecting 
and so ceasing participation in forged-source DNS amplification attacks.

cheers, Ian

More information about the freebsd-net mailing list