I'm not agree, Using PF, and only PF, we can feed a table using some parameters and it is filtered on one/several ports.
PF can't detect Network scan like nmap or ... So it is why i use scanlogdb (it is in the OpenBSD Ports). And some people use Snort also for this kind of things. PF is a good firewall, we can play with QoS/IP,Ports filter/NAT/ Src NAT/ Statefull/Load Balancing/scrub But it is not a NIDS. ;-) All the best, Wesley M. On Wed, 19 Oct 2011 10:05:33 +0300, Gregory Edigarov <g...@bestnet.kharkov.ua> wrote: > I think it is bad practice to use something that's not even in the > base, when you have the feature in pf readily available. > > pass in on vr0 inet proto tcp from any to (vr0) port ssh keep state \ > (max-src-conn-rate 1/60, overload <badhosts> flush global) > > > On Wed, 19 Oct 2011 10:04:09 +0400 > "Wesley M." <open...@e-solutions.re> wrote: > >> I added this : >> >> in pf.conf >> ... >> table <black> persist file "/etc/black" >> ... >> block quick from <black> >> ... >> >> Added to crontab >> pfctl -t black -T add $(cat /var/log/alert | awk '{print $6}') >> >> What do you think about that ? >> Perhaps, you have easiest way to do it ? >> Now i'm looking for a small web monitor to view alerts provided by >> scanlogd. Any idea ? >> >> cheers, >> >> Wesley. >> >> >> On Wed, 19 Oct 2011 09:31:35 +0400, "Wesley M." >> <open...@e-solutions.re> wrote: >> > Hi, >> > >> > I use OpenBSD 4.9, i'm looking for a good nids. >> > >> > I found >> > "scanlogd" in ports, works very well. >> > >> > But is there a way to work this >> > last one with pf ? For example add the ip-address detected by >> > scanlogd >> to a >> > "Blacklist" table ? >> > >> > Also, is there a way to have a web monitor to view >> > alert? >> > >> > Perhaps, you use something else ... what ? ;-) snort ? >> > >> > Thank you >> > very much ! >> > >> > All the best, >> > >> > Wesley.