Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 4 Apr 2003 07:48:17 -0800
From:      Sereciya Kurdistani <>
Subject:   Re: IPFW stateful deny question
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help


> Thank you for responding!
> What I was after was a firewall setup that could block potential hackers for the 
> duration of a stateful rule life period when they tried to portscan certain services.
> Say if someone tried to access port 80 on box it would match by a firewall rule
> And a stateful deny rule would be setup that would deny all IP packets from that someone.

  In that case... you're going to have to set up some kind of check where -- through
  a number of skipto's -- where *if* packets coming from a particular ip source matched
  all the previous skiptos, then the port would be closed;  very very complicated.

  I'm guessing it would have to look something like:

  ipfw add 1001 check-state
  ipfw add 1002 skipto 1004  all from any to any ftp        in via ${oif_1} #keep-state?
 *ipfw add 1003 skipto 65535 all from any to any            in via ${oif_1}
  ipfw add 1004 skipto 1006  all from any to any ssh        in via ${oif_1} #keep-state?
 *ipfw add 1005 skipto 65535 all from any to any            in via ${oif_1}
  ipfw add 1006 skipto 1008  all from any to any http,https in via ${oif_1} keep-state

 *Using the skipto's to keep from another packet that did not match the previous checks
  to jump in.  All packets that hit the keep-state must have passed by *all* previous

  Hope that helps Sten, that's the best I can do at the moment ;)

  You have certainly started me thinking about a solution, Good Luck!

-Sereciya Kurdistani

Want to link to this message? Use this URL: <>