Hosting Provided By

Re: Port scan detection with pf

From: Mike Frantzen <frantzen(at)w4g.org>
Date: Sat Nov 30 2002 - 17:26:38 EST

> I found that iptables has (via patch-o-matic) a option to build a

Blech. It is a nightmare doing portscan detection in-kernel. You have to track states _far_ too long after they've expired. It ends up consuming tons of memory which we just can't afford to dedicate to it in-kernel.

You'd be better off writing something to monitor pflog0 to watch for blocked packets and blocking those hosts. You'd be on your own as to a whitelisting valid hosts. I haven't seen anything that can set up a good whitelist without tens of hours of manual work and I haven't met a good FW admin yet who wasn't also a damn lazy bastard (me included).

.mike Received on Sat Nov 30 17:29:08 2002

This message: [ Message body ]
Next message: Nathan Binkert: "usb mass storage devices (and usb 2.0)"
Previous message: Fredrik Persson: "Basic firewall (DHCP NAT)"
In reply to: Holger Burde: "Port scan detection with pf"
In reply to Theo de Raadt: "Re: Port scan detection with pf"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:31:48 EDT