On 6/27/06, Darrin Chandler <[EMAIL PROTECTED]> wrote:
> I've been through the documentaion and this mailing list. Is there
> another way to add IP addresses to a table directly using a rule in
> pf.conf? I can see the little bastards coming and I'd like to cut them
> off as quickly as possible.
I'm not sure about the archives here, but this comes up every few months
on [EMAIL PROTECTED]
See my article on open-source active response:
http://www.lightconsulting.com/~travis/active_response.pdf
There's some discussion there as to the wisdom of this, since scans
are trivially spoofed, it could lead to a DoS.
I have been beset with system administration issues, but I intend to
finish up my sniffer that will detect stuff like this and trigger DFD
rule changes. However, scan detection is going to be one of the last
features I'll encode.
BTW: I'll be making OpenBSD ports to make installing dfd_keeper more
easy to install.
--
"I sometimes have delusions of adequacy" -- Woody Allen
Security "guru" for rent or hire - http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
