Fred Crowson <fred.crow...@gmail.com> writes: > PF has excellent logging capabilities - which should help in detecting > port scanning, and if you read the src tracking part of the man page > it should prove useful.
Very true. The various state tracking options can help detect and head off various types of floods and scans. An example of a distantly related use case (heading off ssh bruteforcers) can be found at http://home.nuug.no/~peter/pf/en/bruteforce.html, that and the pf.conf man page should give you a few ideas. There is a good number of approaches that may fit your scenarios. > Port knocking has been discussed many times on the mailing list: > http://marc.info/?l=openbsd-misc&w=2&r=1&s=port+knocking&q=b Heh. That search turns up quite a few gems, even mention (but not detailed explanation, mind you) of the fact that port knocking can be implemented via PF features if you have a mind to. For single packet authorization, I'm not aware of any tool in base with that capability, but a quick web search on "OpenBSD single packet authorization" turns up evidence that others have been at least considering the combination (and written some code). -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
