Subject: pf-related tool: dfd_keeper
To: None <>
From: Travis H. <>
List: tech-security
Date: 09/18/2005 03:23:55

Just letting people know that a dynamic firewall daemon, (sort of a
command shell for the firewall), is available for NetBSD & pf.  It's
called dfd_keeper, and I'm looking for ideas, suggestions, developers,
and testers.  You can find it here:

I'd like to evolve from this into a more complete system.

For example:

I'd like to integrate it with snort, honeypots, and maybe snortsam.

I'd like to have a pcap-based sniffer that invokes commands not
related to security incidents... for example active-mode FTP, IRC DCC,
talk, p2p applications, etc.

I'd like to have a pcap-reading library written in a buffer-safe
language that does several things:
1) Decode IPs and TCP/UDP ports, generating "top 100 probed ports",
"top 100 blocking rules", etc. over various time periods.
2) Port scan detector, see:
3) Statistics for optimization of rules
4) Port knocking, see:
5) Abuse of network resources (spam, worms, scanning by internal
hosts, arp flooding, bandwidth cap overflow, etc.)

I'd like to have a web interface which displays:
1) All of the info from the pcap program above
2) The OS fingerprint history of various IPs
3) ifgraph/smokeping output
4) statistics gathered from arpwatch
(MAC history of an IP, IP history of a MAC, &c.)
5) Fancy visualizations of the multi-dimensional stastitical
information that firewall logs contain:
5a) graphviz
5b) LGL,
5c) volsuite
5d) OpenQVIS

I'd like to have a web interface for toggling/setting firewall rules.
Specifically, on/off commands would have a checkbox, multi-mode
commands radio buttons, the list-based commands have an "add" text
entry field, etc.

I'd like to protect the traffic to dfd_keeper with cryptography.

I'd like to implement a coherent system of authorization, so that
certain hosts/programs/users could access some commands, but not
others.  Currently the model is "all or nothing".

I'd like to add persistence to dfd_keeper so that blocked hosts stay
blocked.  This will involve some re-structuring due to limitations of
python pickling code.

I'd like to write an expect script that can shut ports off on managed
switches.  Combined with the "abuse of resources" detector above, this
means no more manually handling worm invasions!  Could also implement
this with arp spoofing, if not patented by Mirage Networks.

All these cooperating packages might be easiest to configure with some
custom afterinstall scripts or maybe even a Live! CD distro for an
instant "firewall appliance".

If you are interested in any of these topics, or have suggestions,
please email me and ask to be added to my email list.
--=20  -><-
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B