Honeypots mailing list archives

RE: Outgoing Traffic measure in OpenBSD an pf

From: "Benninghoff, John (RBC Dain)" <John.Benninghoff () Rbcdain com>
Date: Tue, 14 Dec 2004 13:25:54 -0600

While I'm not familiar with iptables, it sounds like you are trying to limit the number of outbound connections. There 
was a recent article on undeadly.org about TCP connection rate tracking, which was recently added to the development 
(-current) branch of OpenBSD:

http://undeadly.org/cgi?action=article&sid=20041204134916

Here's the cvs log message:
Userland support for limiting open tcp connections per source. eg:

keep state (max-src-conn 1000, max-src-conn-rate 100/10, overflow <bad> flush)

allow a maximum of 1000 open connections or 100 new connections in 10 seconds.
The addresses of offenders are added to the <bad> table which can be used in
the ruleset, and existing states from that host are flushed.

-----Original Message-----
From: David Jiménez Domínguez [mailto:djdsecurity () gmail com]
Sent: Monday, December 13, 2004 3:37 PM
To: honeypots () securityfocus com
Subject: Outgoing Traffic measure in OpenBSD an pf


Hi list!!

I had an OpenBSD as my firewall and I would like tu measure the
Outgoing traffic in order to detect activity in my HoneyNet and add a
pf rule to block the activity in the HoneyPot (just like HoneyWall
works...but in OpenBSD).....

I haven't found a way to do that, is there a parameter in pf like -m
limit in iptables??

Sia


RBC Dain Rauscher does not accept buy, sell or cancel orders by e-mail, or any instructions by e-mail that would 
require your signature.  Information contained in this communication is not considered an official record of your 
account and does not supersede normal trade confirmations or statements.  Any information provided has been prepared 
from sources believed to be reliable but is not guaranteed, does not represent all available data necessary for making 
investment decisions and is for informational purposes only.

This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations.  
Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is 
unauthorized.  If you receive this e-mail in error, please advise me (by return e-mail or otherwise) immediately.

Information received by or sent from this system is subject to review by supervisory personnel, is retained and may be 
produced to regulatory authorities or others with a legal right to the information.

Current thread:

Outgoing Traffic measure in OpenBSD an pf David Jiménez Domínguez (Dec 14)
- Re: Outgoing Traffic measure in OpenBSD an pf Volker Kindermann (Dec 15)
- <Possible follow-ups>
- Re: Outgoing Traffic measure in OpenBSD an pf Earl Sammons (Dec 15)
- RE: Outgoing Traffic measure in OpenBSD an pf Benninghoff, John (RBC Dain) (Dec 15)