[Firehol-support] A Tarpit
Costa Tsaousis
costa at tsaousis.gr
Mon Jun 5 18:58:45 BST 2006
Hi,
in v1.248 I have allowed the use of 'policy' in router blocks.
The same version accepts TARPIT as a policy.
Costa
Nicole King wrote:
> Dear All,
>
> Being rather sick of idiots who can't be bothered to secure their PCs
> and host worms, viruses and other malware, I installed the TARPIT
> (http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-TARPIT)
> <http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-TARPIT%29>
> destination for iptables on my router.
>
> I fiddled around quite a lot with custom rules in firehol, but could
> quite get the behaviour from the iptables that I wanted and so was
> forced to modify the source. I've added a new keyword "tarpit" which
> works rather like the "protection" keyword. It takes no parameters,
> and is used when finalising an interface or router chain. When
> present, this keyword causes all unmatched tcp traffic to be sent to
> the tarpit.
>
> The diff is below.
>
> Regards
>
> Nicole
>
> An example of the use in a config file
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> interface ppp0 outside src not ${UNROUTABLE_IPS}
> policy drop
> tarpit
> ...
>
> router outside_int inface ppp0 outface eth0 src @${UNROUTABLE_IPS} dst
> "192.168.0.0/24"
> protection strong
> tarpit
> route http accept
> ...
>
> The diff is
> ~~~~~~~~
>
> --- firehol 2006-05-22 10:44:17.000000000 +0100
> +++ firehol.new 2006-05-22 10:46:46.000000000 +0100
> @@ -410,6 +410,7 @@
> work_policy="${DEFAULT_INTERFACE_POLICY}"
> work_error=0
> work_function="Initializing"
> +work_tarpit=0
>
>
> #
> ------------------------------------------------------------------------------
> @@ -2371,6 +2372,16 @@
> #
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> #
> ------------------------------------------------------------------------------
>
> +tarpit() {
> + work_realcmd_secondary ${FUNCNAME} "$@"
> +
> + require_work set any || return 1
> +
> + set_work_function "Setting tarpit on interface '${work_inface}'
> ${work_name}"
> + work_tarpit=1
> +
> + return 0
> +}
>
> #
> ------------------------------------------------------------------------------
> # Change the policy of an interface
> @@ -2792,6 +2803,7 @@
> work_inface=
> work_outface=
> work_policy="${DEFAULT_INTERFACE_POLICY}"
> + work_tarpit=0
>
> return 0
> }
> @@ -2826,6 +2838,10 @@
> rule chain "in_${work_name}" state RELATED action ACCEPT || return 1
> rule chain "out_${work_name}" state RELATED action ACCEPT || return 1
>
> + if [ ${work_tarpit} -eq 1 ]; then
> + rule chain "in_${work_name}" "${inlog[@]}" proto tcp action tarpit
> || return 1
> + fi
> +
> rule chain "in_${work_name}" "${inlog[@]}" action ${work_policy} ||
> return 1
> rule reverse chain "out_${work_name}" "${outlog[@]}" action
> ${work_policy} || return 1
>
> @@ -3575,6 +3591,10 @@
> action="DROP"
> ;;
>
> + tarpit|TARPIT)
> + action="TARPIT"
> + ;;
> +
> reject|REJECT)
> action="REJECT"
> if [ "${1}" = "with" ]
>
More information about the Firehol-support
mailing list