HI A much simpler option Is D.J. Bernstein's tcpserver in combination with daemontools
I use it for all sorts of things including IP black listing into pf's tables The packages are in the ports system T -----Original Message----- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Thomas Smith Sent: 09 July 2019 19:04 To: misc@openbsd.org Subject: TCP wrapper alternative? Hi, I'm considering an option to evaluate connecting IPs before they're evaluated by `pf` in order to make some decisions about the "reputation" of a connecting IP. Then if that reputation is low enough, some action could either be taken: in `pf` to protect the associated application (say by blocking the connection); or in the app responsible for the listening port. `pf`, unfortunately, isn't able to make routing decisions based on external factors (insofar as I understand)--I'm hoping to add some additional (very simple) intelligence to that. Just another metric or two for determining if a connection is legitimate. I've been looking into TCP wrappers for OpenBSD but it seems that this functionality was removed in version 5. Is my understanding of that correct? If so, is there an alternate way to achieve what I mentioned? I know I can use something like sshguard or fail2ban, but I'm looking for a much simpler option and one that preferably doesn't rely on tailing log files (if there aren't viable alternatives, I may consider these, however). ~ Tom
