Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 4 Apr 2003 07:48:17 -0800
From:      Sereciya Kurdistani <sereciya@kurdistan.ath.cx>
To:        freebsd-ipfw@freebsd.org
Subject:   Re: IPFW stateful deny question
Message-ID:  <20030404154817.GA3721@kurdistan.ath.cx>
In-Reply-To: <0AF1BBDF1218F14E9B4CCE414744E70F1F3CC3@exchange.wanglobal.net>
References:  <0AF1BBDF1218F14E9B4CCE414744E70F1F3CC3@exchange.wanglobal.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

Sten,

> Thank you for responding!
> 
> What I was after was a firewall setup that could block potential hackers for the 
> duration of a stateful rule life period when they tried to portscan certain services.
> 
> Say if someone tried to access port 80 on box 1.2.3.4 it would match by a firewall rule
> And a stateful deny rule would be setup that would deny all IP packets from that someone.

  In that case... you're going to have to set up some kind of check where -- through
  a number of skipto's -- where *if* packets coming from a particular ip source matched
  all the previous skiptos, then the port would be closed;  very very complicated.

  I'm guessing it would have to look something like:

  ipfw add 1001 check-state
  ipfw add 1002 skipto 1004  all from any to any ftp        in via ${oif_1} #keep-state?
 *ipfw add 1003 skipto 65535 all from any to any            in via ${oif_1}
  ipfw add 1004 skipto 1006  all from any to any ssh        in via ${oif_1} #keep-state?
 *ipfw add 1005 skipto 65535 all from any to any            in via ${oif_1}
  ipfw add 1006 skipto 1008  all from any to any http,https in via ${oif_1} keep-state

 *Using the skipto's to keep from another packet that did not match the previous checks
  to jump in.  All packets that hit the keep-state must have passed by *all* previous
  skiptos.

  Hope that helps Sten, that's the best I can do at the moment ;)

  You have certainly started me thinking about a solution, Good Luck!

-Sereciya Kurdistani



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20030404154817.GA3721>