[Firehol-support] A Tarpit

Costa Tsaousis costa at tsaousis.gr
Mon Jun 5 18:58:45 BST 2006 

Hi,

in v1.248 I have allowed the use of 'policy' in router blocks.
The same version accepts TARPIT as a policy.

Costa

Nicole King wrote:
> Dear All,
>  
> Being rather sick of idiots who can't be bothered to secure their PCs 
> and host worms, viruses and other malware, I installed the TARPIT 
> (http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-TARPIT) 
> <http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-TARPIT%29> 
> destination for iptables on my router.
>  
> I fiddled around quite a lot with custom rules in firehol, but could 
> quite get the behaviour from the iptables that I wanted and so was 
> forced to modify the source. I've added a new keyword "tarpit" which 
> works rather like the "protection" keyword. It takes no parameters, 
> and is used when finalising an interface or router chain. When 
> present, this keyword causes all unmatched tcp traffic to be sent to 
> the tarpit.
>  
> The diff is below.
>  
> Regards
>  
> Nicole
>  
> An example of the use in a config file
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>  
> interface ppp0 outside src not ${UNROUTABLE_IPS}
>   policy drop
>   tarpit
>   ...
>  
> router outside_int inface ppp0 outface eth0 src @${UNROUTABLE_IPS} dst 
> "192.168.0.0/24"
>   protection strong
>   tarpit
>   route http accept
>   ...
>  
> The diff is
> ~~~~~~~~
>  
> --- firehol 2006-05-22 10:44:17.000000000 +0100
> +++ firehol.new 2006-05-22 10:46:46.000000000 +0100
> @@ -410,6 +410,7 @@
> work_policy="${DEFAULT_INTERFACE_POLICY}"
> work_error=0
> work_function="Initializing"
> +work_tarpit=0
>  
>  
> # 
> ------------------------------------------------------------------------------
> @@ -2371,6 +2372,16 @@
> # 
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> # 
> ------------------------------------------------------------------------------
>  
> +tarpit() {
> + work_realcmd_secondary ${FUNCNAME} "$@"
> +
> + require_work set any || return 1
> +
> + set_work_function "Setting tarpit on interface '${work_inface}' 
> ${work_name}"
> + work_tarpit=1
> +
> + return 0
> +}
>  
> # 
> ------------------------------------------------------------------------------
> # Change the policy of an interface
> @@ -2792,6 +2803,7 @@
> work_inface=
> work_outface=
> work_policy="${DEFAULT_INTERFACE_POLICY}"
> + work_tarpit=0
>  
> return 0
> }
> @@ -2826,6 +2838,10 @@
> rule chain "in_${work_name}" state RELATED action ACCEPT || return 1
> rule chain "out_${work_name}" state RELATED action ACCEPT || return 1
>  
> + if [ ${work_tarpit} -eq 1 ]; then
> + rule chain "in_${work_name}" "${inlog[@]}" proto tcp action tarpit 
> || return 1
> + fi
> +
> rule chain "in_${work_name}" "${inlog[@]}" action ${work_policy} || 
> return 1
> rule reverse chain "out_${work_name}" "${outlog[@]}" action 
> ${work_policy} || return 1
>  
> @@ -3575,6 +3591,10 @@
> action="DROP"
> ;;
>  
> + tarpit|TARPIT)
> + action="TARPIT"
> + ;;
> +
> reject|REJECT)
> action="REJECT"
> if [ "${1}" = "with" ]
>

More information about the Firehol-support mailing list