On Tue, 23 Sep 2003 23:32, you wrote: > Nik Trevallyn-Jones wrote: > > As a result of experiences deploying PortSentry behind an ipchains > > firewall recently, I started considering how iptables could be used to > > deploy a dynamic firewall which would be able to modify itself in > > response to predefined events. > > Be very careful with this. I've seen savvy attackers spoof attacks from > the root name servers in order to make the firewall DoS the local > environment. :( Obviously any firewall rules, whether manually or automatically implemented are susceptible to address spoofing. That's one of the reasons I've tried to make my idea as general possible. > > Q: Has anyone considered or suggested this before? > > Yup, and the feature is built into many commercial firewalls (FW-1, PIX, > etc.). I know Bill Stearns was working on this at one point. You might > be able to find more info at: > http://www.stearns.org coowell! Thanks for the pointer! > > 1 two new targets: ENLIST, DELIST > > These targets effectively cause one or more new rules to be automatically > > added/removed to/from the firewall in response to matching the associated > > rule. > > Depending on your IDS, you can script this as well. I seem to remember a > paper floating around at one point that shows how to set this up with > Snort and iptables. I haven't looked at snort, but PortSentry can (and does on my machine) do quite a bit of this. However, as I considered what improvements I would like in PortSentry, it became obvious I was trying to put rule-matching chain logic into it - hence my idea to extend iptables. > > I would like to write a rule which asserts: "BLACKLIST any host that > > sends a SYN packet to any ports between 1025-50000 unless there is a > > socket listening to the port at the time the packet arrives". > > Hummm, so if I back door your system the firewall will happily update > the ruleset to permit me access to that port. That's very polite of it. ;-) Well, if I'm polite to hackers, maybe they'll be nice to me?? - Actually my logic (possibly flawed) was that if they had back doored my system, they probably had enough control to rewrite/disable my firewall anyway. This kind of ability seems to be much more useful on my internal LAN than on my internet interface. I've found in general that PortSentry does basically nothing on my internet interface, because the firewall is stopping any traffic that would normally trip PortSentry. However, on my internal LAN, PortSentry flipped up the shutters pronto when someone recently connected a laptop that was infected with the Blaster worm. Sadly, there was no firewall between that laptop and my other (relatively few) PCs, but PortSentry's response alerted me pretty quickly. So what I am planning now is a separate "quarantine" subnet where I will corral all laptops that could be carrying disease. In that case, PortSentry on the firewall/router between the quarantine and regular LAN would probably stop an infection spreading out of the quarantine subnet. Cheers! Nik.
