From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 4 07:48:20 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 514A637B404 for ; Fri, 4 Apr 2003 07:48:20 -0800 (PST) Received: from kurdistan.ath.cx (adsl-64-163-110-168.dsl.chic01.pacbell.net [64.163.110.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C09043F93 for ; Fri, 4 Apr 2003 07:48:19 -0800 (PST) (envelope-from sereciya@kurdistan.ath.cx) Received: from kurdistan.ath.cx (ns1 [127.0.0.1]) by kurdistan.ath.cx (8.12.8/8.12.6) with ESMTP id h34FmIQU015718; Fri, 4 Apr 2003 07:48:18 -0800 (PST) (envelope-from sereciya@kurdistan.ath.cx) Received: (from sereciya@localhost) by kurdistan.ath.cx (8.12.8/8.12.6/Submit) id h34FmHKK015717; Fri, 4 Apr 2003 07:48:17 -0800 (PST) Date: Fri, 4 Apr 2003 07:48:17 -0800 From: Sereciya Kurdistani To: freebsd-ipfw@freebsd.org Message-ID: <20030404154817.GA3721@kurdistan.ath.cx> References: <0AF1BBDF1218F14E9B4CCE414744E70F1F3CC3@exchange.wanglobal.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0AF1BBDF1218F14E9B4CCE414744E70F1F3CC3@exchange.wanglobal.net> User-Agent: Mutt/1.4i Subject: Re: IPFW stateful deny question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Apr 2003 15:48:20 -0000 Sten, > Thank you for responding! > > What I was after was a firewall setup that could block potential hackers for the > duration of a stateful rule life period when they tried to portscan certain services. > > Say if someone tried to access port 80 on box 1.2.3.4 it would match by a firewall rule > And a stateful deny rule would be setup that would deny all IP packets from that someone. In that case... you're going to have to set up some kind of check where -- through a number of skipto's -- where *if* packets coming from a particular ip source matched all the previous skiptos, then the port would be closed; very very complicated. I'm guessing it would have to look something like: ipfw add 1001 check-state ipfw add 1002 skipto 1004 all from any to any ftp in via ${oif_1} #keep-state? *ipfw add 1003 skipto 65535 all from any to any in via ${oif_1} ipfw add 1004 skipto 1006 all from any to any ssh in via ${oif_1} #keep-state? *ipfw add 1005 skipto 65535 all from any to any in via ${oif_1} ipfw add 1006 skipto 1008 all from any to any http,https in via ${oif_1} keep-state *Using the skipto's to keep from another packet that did not match the previous checks to jump in. All packets that hit the keep-state must have passed by *all* previous skiptos. Hope that helps Sten, that's the best I can do at the moment ;) You have certainly started me thinking about a solution, Good Luck! -Sereciya Kurdistani