IPFW stateful deny question

[Sereciya Kurdistani]

Sten,

> Thank you for responding!
> 
> What I was after was a firewall setup that could block potential hackers for the 
> duration of a stateful rule life period when they tried to portscan certain services.
> 
> Say if someone tried to access port 80 on box 1.2.3.4 it would match by a firewall rule
> And a stateful deny rule would be setup that would deny all IP packets from that someone.

  In that case... you're going to have to set up some kind of check where -- through
  a number of skipto's -- where *if* packets coming from a particular ip source matched
  all the previous skiptos, then the port would be closed;  very very complicated.

  I'm guessing it would have to look something like:

  ipfw add 1001 check-state
  ipfw add 1002 skipto 1004  all from any to any ftp        in via ${oif_1} #keep-state?
 *ipfw add 1003 skipto 65535 all from any to any            in via ${oif_1}
  ipfw add 1004 skipto 1006  all from any to any ssh        in via ${oif_1} #keep-state?
 *ipfw add 1005 skipto 65535 all from any to any            in via ${oif_1}
  ipfw add 1006 skipto 1008  all from any to any http,https in via ${oif_1} keep-state

 *Using the skipto's to keep from another packet that did not match the previous checks
  to jump in.  All packets that hit the keep-state must have passed by *all* previous
  skiptos.

  Hope that helps Sten, that's the best I can do at the moment ;)

  You have certainly started me thinking about a solution, Good Luck!

-Sereciya Kurdistani