On 6/29/09 9:58 AM, Rod Whitworth wrote:
http://ossec.net/
it's EXACTLY what you want.
They don't say they do pf on their webpage.
Yes, it does.
A default installation use a standard "firewall_up" on server side, in
while in the client it use pf, or iptable or whatever O.S. is supporting.
Without personalization it works well, detecting scans (analyzing logs)
and put the attacking ip in a "ossec_fwtable". After some minutes those
ip's will removed from there.
What you have to do in your of is a simple
table <ossec_fwtable> persist
block in quick from <ossec_fwtable> to any
block out quick from any to <ossec_fwtable>
Of course, you MUST put YOUR ip's in a white list. ;)
--
Cris, member of G.U.F.I
Italian FreeBSD User Group
http://www.gufi.org/
