I'm working on a sniffer that will look for certain kinds of traffic and invoke changes to the firewall in reaction to them.
You might wish to check out dfd_keeper for a framework for making changes to pf rules, and I'm working on a python-based sniffer that listens to an interface and invokes DFD commands in reaction. It would not be as fast as making the changes in C, so may not be for performance-demanding environments, but it is very flexible and some of it is already written. OpenBSD's pcap format is pretty cool, it saves all kinds of useful information like what rule number the packet matched, what interface it was on, etc. Right now I've reviewed all of the pcap implementations, and I could have a rudimentary sniffer running and invoking DFD commands by the end of the weekend. GOALS: python-based sniffer that runs on OpenBSD should be able to sniff pflog device or any other interface should detect port knocking a la fwknop should detect port scanning a la psad should detect use of protocols that require port forwarding all can be done by monitoring the WAN interface alone should interface to dfd_keeper to trigger rule changes ideally any module we use should exploit full features of libpcap ideally any module we use should be OO ideally any module we use should be written at as high a level as possible The code is on my homepage, listed in the .sig --- look for "Dynamic Firewall Daemon"... about 1000 lines of python. It's really more of an API and system than a fixed set of rules. Also, there's an example script in the distribution suitable for a basic NATting firewall. -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B