PF: What is the best way to determine which rule auto-blacklisted an IP?

[IT_Architect]

I'm using FreeBSD 7 and the PF firewall. These are the issues I ran into.

1. I don't currently have an indication of which rule got an IP on the blacklist. They are PASSed until they exceed the limit, and blacklisted after that, so I have no record of what they were doing at the time.

2. When they do violate an STO rule, even if I know which rule it is, I don't know which part.
Was it too many max-src-states? max-src-nodes?, or max-src-conn-rate? Thus I don't know what to adjust.

3. I don't find any organized method documented anywhere on how to collect the necessary information to establish what the limits of the STO rules should be. The example rules from the most popular tutorials blacklisted the users almost immediately. I found I was far better off making logical stabs at what they should be.

Thanks!

 

[IT_Architect]

I couldn't find the answers to these question here, the docs, or any of the internet tutorials and forums, so I have developed some of my own logic of how to solve these issues to end up with a real firewall. Maybe this will be useful to others.
- There doesn't seem to be a starting set of rules that you can tap into, and you wouldn't know if they were too loose if there were.
- PF's "LOG" statement only logs the first packet. If you want all the packets you need "LOG ALL"
- PF logs and the tools you can add, do not contain what you need to establish parameters for your rules. What it will tell you is the rule number that caused the pass or block, and you can print out the rule numbers with pfctl -vvs rules | grep @.
- You are going to need an initial set of rules to develop your permanent ones. Initially, you will need not only a rule for each port, but also a rule for the same port for each STO rule seperately. E.G. max-src-states, max-src-nodes, max-src-conn-rate, etc, will all need their own rules for that port. Moreover, you will need a table for each rule. When they exceed a limit, and it gets written to the corresponding table. Do not use these tables to block them or you will lose your ability to collect the information you need. You will want a cron process to read these tables and save off the IPs and time stamp them so you don't lose them, and have them available later for analysis. This is the only way you will be able to determine where the problems are. You will want to log everything, including your blacklists. I learned a lot from that including I was blocking some things I wasn't intending to block.
- After you calculate the proper values for the port rules, you can consolidate STO rules to a single port rule, but you will still want to have multiple tables to filter with. For example, for all of the e-mail protocols, you may want to have a table that ages pretty quickly, but for a port scanner, ssh or ftp crackers, you may want them to be picked up by a cron job and put into a disk-based, permanent blacklist table that you will merge with your internet blacklist tables. You will also want to establish a disk-based whitelist and put your logging back to what you really want to log.
- Firewall STO rules don't work for everything. For e-mail, the greatest "abusers" will be the users. Outlook is multi-threaded, and when it goes off, even a small company will be putting out hundreds of connection requests at once from the same IP. About all you will catch are DOS attacks. So for things like e-mail, external lists will be required.