Travis H. wrote:
> On 2/27/06, Morten Larsen <[EMAIL PROTECTED]> wrote:
>> rdr pass on $ext_if proto tcp from any to ($ext_if) port {135:139, 445}
>> -> 127.0.0.1 $tarpit_port
>>
>> pass in on lo0 proto tcp from any to 127.0.0.1 \
>> port {135:139, 445} flags S/SA synproxy state \
>> (max-src-conn 0, max-src-conn-rate 0/1, \
>> overload <infected> flush)
>
> I think you overlooked the fact that the dst port is remapped to
> $tarpit_port, so this wouldn't work exactly as you wrote. In any
> case, you're right, and maybe I can write a couple of scripts or
> trivial little C programs for doing this kind of stuff. I'm seeing
> more and more requests for things best done in the style of the
> ftp-proxy and perhaps a web page with a couple of little pf-helper
> tools is in order.
>
> So far, I can remember:
> 1) re-writing layer 7 content
> 2) blocking src IPs by adding to a table
>
> Any others come to mind?
> --
> Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
> GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
Yes, you are right.
It was just off the top of my head, I should have looked closer before I
posted.
