Address List

[LuizBiazus]

Hello brothers,

I want to know if there is any way to create an address list based on IP connection. For example: if the IP 200.200.200.200 receives 500 connections it will be inserted in one address list, the main reason is to avoid worms to pass through one proxy like Squid. So I want to put this address list in one "accept" before the proxy redirection rule.

Cheers,

 

[wblock@]

Can you please restate the objective in a general way? Do you mean you want to block addresses that attempt to connect too many times?

 

[LuizBiazus]

Hello buddy!

Well, some machines in the network could be infected by worms that normally are used to attack one pre-determined host. I want to detect the hosts and put them in one address list and make these destination hosts not pass through the proxy, because too many connections could crash the proxy system.

So in this case I want a direct connection between the customer and this host, avoiding the transparent proxy port redirection.

Anyway, thanks for your interest in helping

 

[wblock@]

So you're worried about machines inside your network? I'm sure that can be done with IPFW, but don't know how. With pf(8), it's easy. Create a persistent table of IP addresses or ranges and block everything in that table. It's up to you to decide how to detect those machines. Once you have the IP addresses, use pfctl(8) to add them to the table.

 

[LuizBiazus]

Hello friend,

Yes, the problem is the infected machines inside the network, but how can I make a list using pf, based on the number of connections tp port 80 in one determined IP address? Maybe I can make a mix with pf and ipfw

 

[wblock@]

It is not the firewall that would detect the number of connections. The firewall will do the blocking. As I said, you'll have to come up with something else to count the connections. Probably something that asks squid, if that's the proxy.