Hi All, This is a repost and I was hoping there might be a solution to this. I was wondering if ipfw2 has the ability to detect port scan like iptables with the psd module. I'm looking for a kernel-based solution, not app-based like portsentry. Also, is ipfw2 able to allow/disallow traffic according to time? ie. If I wanted to allow http traffic only from 9am to 1pm, can I do this with ipfw? I've been looking all over the net looking for a solution but haven't found one and was hoping that someone on the list could help me out, even if the answer is "no, there are no such kernel-based features." Thank you, Khoi
On Wed, Jun 09, 2004 at 09:11:46PM -0700, Khoi Dinh wrote:> Hi All, > > This is a repost and I was hoping there might be a solution to this. I was > wondering if ipfw2 has the ability to detect port scan like iptables with > the psd module. I'm looking for a kernel-based solution, not app-based like > portsentry. Also, is ipfw2 able to allow/disallow traffic according to > time? ie. If I wanted to allow http traffic only from 9am to 1pm, can I do > this with ipfw? I've been looking all over the net looking for a solution > but haven't found one and was hoping that someone on the list could help me > out, even if the answer is "no, there are no such kernel-based features."The kernel is the wrong place for these features, and they can be implemented straightforwardly in userland. Kris -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20040609/89b3d793/attachment.bin
On Thu, 2004-06-10 at 00:11, Khoi Dinh wrote:> Also, is ipfw2 able to allow/disallow traffic according to > time? ie. If I wanted to allow http traffic only from 9am to 1pm, can I do > this with ipfw? I've been looking all over the net looking for a solution > but haven't found one and was hoping that someone on the list could help me > out, even if the answer is "no, there are no such kernel-based features."I don't believe there are any "kernel-based features" to do the above, but a reasonable solution to that problem would be to use two cron jobs. One, run at 9am, would insert/remove rules using ipfw to allow HTTP traffic. The other, run at 1pm, would insert/remove rules using ipfw to deny HTTP traffic. You're probably already using cron to do log rotation via newsyslog, so leveraging that tool to rotate ipfw traffic policies shouldn't be beyond the pale... Cheers, Paul. -- e-mail: paul@gromit.dlib.vt.edu "Without music to decorate it, time is just a bunch of boring production deadlines or dates by which bills must be paid." --- Frank Vincent Zappa
From: Paul Mather [mailto:paul@gromit.dlib.vt.edu]> On Thu, 2004-06-10 at 00:11, Khoi Dinh wrote: > > > Also, is ipfw2 able to allow/disallow traffic according to > > time? ie. If I wanted to allow http traffic only from 9am > to 1pm, can I do > > this with ipfw? I've been looking all over the net looking > for a solution > > but haven't found one and was hoping that someone on the > list could help me > > out, even if the answer is "no, there are no such > kernel-based features." > > I don't believe there are any "kernel-based features" to do the above, > but a reasonable solution to that problem would be to use two cron > jobs. One, run at 9am, would insert/remove rules using ipfw to allow > HTTP traffic. The other, run at 1pm, would insert/remove rules using > ipfw to deny HTTP traffic. You're probably already using > cron to do log > rotation via newsyslog, so leveraging that tool to rotate ipfw traffic > policies shouldn't be beyond the pale... > > Cheers, > > Paul.There was a patch to ipfw posted last year that gave time to rules.
On Thu, 2004-06-10 at 08:46, Don Bowman wrote:> There was a patch to ipfw posted last year that gave time > to rules.Interesting. Does the rule processing of the patch burden all packets with an extra check (for time validity), or just those with a time restraint on the rule? I wonder, also, how "keep-state" rules are handled. Are the time constraints of the "keep-state" rule included with the dynamic rule created from it? (If not, that would mean a packet could be allowed in violation of its time constraint?) Does the syntax of time specification use the local time zone, and, if so, what happens during the switch between daylight savings... ;-) Cheers, Paul. -- e-mail: paul@gromit.dlib.vt.edu "Without music to decorate it, time is just a bunch of boring production deadlines or dates by which bills must be paid." --- Frank Vincent Zappa
Khoi Dinh wrote:> This is a repost and I was hoping there might be a solution to this. I was > wondering if ipfw2 has the ability to detect port scan like iptables with > the psd module. I'm looking for a kernel-based solution, not app-based like > portsentry.ipfw performs packet inspection and it can certainly recognize the traffic associated with a port scan, yes. The kernel provides support for limiting the generation of ICMP error messages, which is what happens when someone port scans a bunch of closed ports. What else did you want to do?> Also, is ipfw2 able to allow/disallow traffic according to > time? ie. If I wanted to allow http traffic only from 9am to 1pm, can I do > this with ipfw?IPFW and IPFW2 have no notion of time, but one could very easily use cron to change your firewall rulesets at specific times in order to accomplish what you've asked for. -- -Chuck