How about using snort and guardian. Guardian.pl will add a ipfw rule
each time it sees an alert from Snort. You'll need to adjust the snort
rules for what you want to alert on but its a pretty safe and
lightweight asset. (just my novice 2 cents...)
John
Alex de Kruijff wrote:
On Thu, Sep 29, 2005 at 11:45:42AM -0400, Bob Johnson wrote:
In FreeBSD 5.4R, I tried an IPFW configuration that includes something
like this (plus a lot of other rules):
check-state
deny tcp from any to any established
allow log tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3
+ other rules that use keep-state
When I do this, _every_ ssh packet is logged, in both directions. To
get it to log ONLY the initial connection, I had to give up on using
dynamic rules for ssh and instead do something like:
allow log tcp from any to ${my-ip} dst-port 22 setup
allow tcp from any to ${my-ip} dst-port 22 established
allow tcp from ${my-ip} 22 to any established
check-state
deny tcp from any to any established
+ other rules that use keep-state
So now I have lost the per-host ssh limit rule I wanted to include,
and I am filtering packets on flags that can be spoofed
("established") rather than the actual dynamic state of the
connection. Am I wrong to believe there is an advantage to this?
Is there some way to get the first version to log only the initial
packet while still retaining the dynamic limit src-addr rule?
Yes you could use count instead of allow.
check-state
count log tcp from any to ${my-ip} dst-port 22 limit src-addr 3
allow tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
