Contributed by jose on from the remote-control-management dept.
"Couple of weeks ago, I started implementation of rpfcd, remote OpenBSD packet filter control daemon.This type of thing could prove to be very useful and an interesting protocol. Worth having a look at.rpfcd goal is to provide a common framework for pf control and monitoring. Instead of running pfctl/tcpdump/pflog, writing ad-hoc parsing scripts, sending the results by mail, rpfcd provides the same and much more via a transparent server-client interface. Together with a decent CLI/GUI client, pf firewall monitoring becomes rather easy. This is especially interesting if you have several firewalls to control and monitor.
Since I don't know GUI programming, I'm looking for a brave soul that could implement a GUI client.
Anyways, more details, including source snapshots, are available at http://www.insecure.dk/rpfcd/.
Any input is appreciated. Thanks. "
(Comments are closed)
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Let's see. Every six months. 3.1 was released in May. It's now August. Probably another 3 months...
Comments
By Cowardly poster () on
By invaderzim () on
Comments
By Srebrenko Sehic () haver@insecure.dk on mailto:haver@insecure.dk
Children (serving clients), after chorooting to /var/empty and opening the neccesary device handles, drop all privileges after that.
I still need to implement username/passwd + client/server certificates authentication.
Apxm. 50 lines of code runs as UID 0. Rest is unpriviliged.
Comments
By invaderzim () on
By Banonymous Wizard () on
Comments
By invaderzim () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Srebrenko Sehic () haver@insecure.dk on mailto:haver@insecure.dk
Hybrid 'let's stop kiddies automagically by inserting deny rules in pf' solutions won't fly.
Comments
By francisco () on http://www.blackant.net/
glad you agree. every now and then this comes up on the mailing lists. a couple problems i remember: 1) what order do new rules go in? 2) it's a great way for someone to DoS your firewall, like scan from forged ip's and block large quantities of hosts from your sites.
Comments
By Daniel () daniel a kladdkaka d nu on mailto:daniel a kladdkaka d nu
1. Add a deny rule without the "quick" statement at the end of pf.conf. Then when you want to unblock an ip you just add an allow (pass) statement. Appending at the end all the time. This will be quite messy in the pf.conf after some time but it's probably the easiest. A Perlprogram that clean up the ip's that have been allowed again after being denied could be put in a cronjob to keep the pf.conf file quite clean.
2. For personal internet-use there really isn't a problem with the possibility of DoS. It's simply would (next to) never happen and if you cant access one of your favourite sites, your DNS seems broken or similar you know where to check. You could also specify IP's that always should be able to talk to the firewall. Just add an allow rule for these in the top of the pf.conf file and include a "quick" statement and the rest of the rules will be ignored. Ofcourse you would never ever want an automatic IP-blocker on a firewall/gateway connected to a commercial/official site/network, but that is a completely different story and hopefully obvious.
I see the minimal "risk" of being DoS:ed as a good tradeoff compared to not having automatic IP-blocking.
By elrako harkonnen () sect@datacrypt.org on mailto:sect@datacrypt.org