Date: Fri, 20 Feb 2009 19:04:45 +1100 From: Lawrence Stewart <lstewart@room52.net> To: Bakul Shah <bakul@bitblocks.com> Cc: net@freebsd.org Subject: Re: A more pliable firewall Message-ID: <499E641D.1060605@room52.net> In-Reply-To: <20090220055936.035255B1B@mail.bitblocks.com> References: <20090220055936.035255B1B@mail.bitblocks.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Bakul Shah wrote:
> I am wondering if there is a more dynamic and scriptable
> firewall program. The idea is to send it alerts (with sender
> host address) whenever a dns probe fails or ssh login fails
> or smtpd finds it has been fed spam or your website is fed
> bad urls. This program will then update the firewall after a
> certain number of attempts have been made from a host within
> a given period.
>
> Right now, when I find bad guys blasting packets at me, I add
> a rule to pf.conf to drop all packets from these hosts but
> all this manual editing is getting old and the internet is
> getting more and more like the Wild West crossed with the
> Attack of the Zombies.
It's a fairly crude solution and doesn't address a lot of the features
you mention, but I do this with PF on many of my FreeBSD machines
(tuning the various timeout and connection rates as appropriate):
# Drop packets from hosts trying to spam us with connections.
# We rehabilitate this list by calling
# "pfctl -t bad_hosts -T expire 600" from cron every few mins
block drop in quick on $wan_if from <bad_hosts>
# Allow TCP connections from the outside world to:
# ssh (port 22)
# https (port 443)
# Attempting to connect more than 5 times in 30 seconds
# will put you in the bad books for a while
pass in quick on $wan_if inet proto tcp from any to ($wan_if) port { 22,
443 } keep state (max-src-conn-rate 5/30, overload <bad_hosts> flush global)
It does a surprisingly good job at stopping a majority of cruft ending
up in my security logs, and the rehabilitation via cron ensures any
false positives don't require manual intervention to remove the
offending IP(s) from the black list.
There are also of course many options in ports, some of which are very
sophisticated (e.g. snort, bro).
Cheers,
Lawrence
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?499E641D.1060605>