# Redirect all kinds of obnoxious trafffic to localhost port 24
rdr on { $ext_if1 , $ext_if2 } inet proto tcp from any to any \
port { 445, 135, 139, 5554, 5000, 1434, 15118 } -> 127.0.0.1 port 24
## First Rule
block in quick from <bad_hosts> label "Bad Hosts"
# Trap
pass in log quick inet proto tcp from ! <local_networks> to 127.0.0.1 port
24 \
flags S/SA keep state ( no-sync max-src-conn 1, overload
<bad_hosts> flush global)
You should have a service running that exits right away on port 24
You should consider that Many of the hosts you are catching are dial-up
hosts. With dynamic ip
so you may want to delete them after some time, these IPs could be reused
by legitimate users.
A solution to that would be to block only bad_guys with a MSS of 1460 for a
long time
and bad_guys with an MSS below 1460 for a short time. (This will only work
if
you are not connected your self with a pppoe connection )
Manon
--On 26. Juni 2005 17:35:52 +0200 [EMAIL PROTECTED] wrote:
>> --On 26 June 2005 15:27 +0200, [EMAIL PROTECTED] wrote:
>>
>>> Is there any spamtrap-like Mechanism for the pf?
>>> E.g. more skilled "badguys" don't use `nmap -sS &target`.
>>> Such guys will limit their scans to just a few ports (3-6).
>>
>> Since this type of scan typically won't complete a 3-way handshake,
>> there's not really any chance to tell a spoofed source address from a
>> real one...
>
> What's about 3-Way- handshake scans?
> As I said such guys scan just a few ports to not getting noticed by an IDs
> (and a IDS would "mostly" notice Syn-Scans but not full 3-way. Scans if
> just 3 ports e.g. where scanned).
>
> e.g.
> nmap -sT -sV -P0 -sV -p21,22,80 would be such a case
> or
> nmap -sT -sV -P0 -sV -p21,22
>
> So if I know that I don't run a FTPd the Src-IP would get blocked and the
> scan for other ports would fail.
>
> Kind regards,
> Sebastian
[demime 1.01d removed an attachment of type application/pgp-signature]
