[Dshield] adaptive firewall...

Chris Brenton cbrenton at chrisbrenton.org
Thu Nov 11 10:49:11 GMT 2004


On Wed, 2004-11-10 at 23:36, Johannes B. Ullrich wrote:
>
> Well, this is some topic where Linux and iptables shine. For a great paper, 
> see: http://www.stearns.org/doc/adaptive-firewalls.current.html

Agreed, iptables is the way to go. Bill talks about doing just what you
need with the "recent" module. Another possibility is to simply use rate
limiting. Something like:

iptables -A FORWARD -i eth0 -m limit --limit 5/minute -p tcp -m state
--state NEW -d 1.2.3.4 --dport 25 -j ACCEPT

iptables -A FORWARD -i eth0 -p tcp -d 1.2.3.4 --dport 25 -j REJECT
--reject-with icmp-host-unreachable

Process the state table before these rules and keep them in this exact
order. You will be set to go. :)

> Bill Stearns, the author of this paper, got a couple other interesting 
> writings on his site.

*Totally* agree. Bill has some awesome tools as well as some great write
ups on using common tools like Netcat and SSH. I must mention his site
in class at least a dozen times. ;-)

HTH,
Chris





More information about the list mailing list