On 2/27/06, Morten Larsen <[EMAIL PROTECTED]> wrote:
> rdr pass on $ext_if proto tcp from any to ($ext_if) port {135:139, 445}
> -> 127.0.0.1 $tarpit_port
>
> pass in on lo0 proto tcp from any to 127.0.0.1 \
> port {135:139, 445} flags S/SA synproxy state \
> (max-src-conn 0, max-src-conn-rate 0/1, \
> overload <infected> flush)I think you overlooked the fact that the dst port is remapped to $tarpit_port, so this wouldn't work exactly as you wrote. In any case, you're right, and maybe I can write a couple of scripts or trivial little C programs for doing this kind of stuff. I'm seeing more and more requests for things best done in the style of the ftp-proxy and perhaps a web page with a couple of little pf-helper tools is in order. So far, I can remember: 1) re-writing layer 7 content 2) blocking src IPs by adding to a table Any others come to mind? -- Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
