smart banning of an attacking-IP on a PF firewall?

Hello:

I'm trying to configure the PF of an Open BSD to react smartly against attacks and ban the attacking IP for several minutes.

I've heard it's possible, (heard being the key word here).

How can I approach this?

Thanks
HoraShadow

Can you explain where you are getting attack information from? Are you trying to integrate Pf with an IDS?

So far, the only thing I have is the PF.

Hm, I guess I should have asked it this way.

What software/hardware should I use to build a smart system defence, that bans for a while, posible attackers while they are scanning my ports?

I have an Open BSD with a configured PF doing firewall/NAT as a start.

The only thing that has to stay is the Open BSD. The PF can go if it gets in the way.

Well for what you're asking for I would usually recommend snort inline
snort-inline.sourceforge.net/

However unlike regular snort which runs extremely snugly on *BSD, snort-inline, since it uses iptables.. you'll have to use this document for your setup
freebsd.rogness.net/snort_inline/

That should cover your smart defence requirements very decently.

Cheers,

Okey.. this looks exactly what I was looking!

Time to start researching. Thanks a lot for the good data, I really apreciate it!

No problem.. drop a line about how your implementation or testing goes as I'd like to know how well it works out.


Cheers mate,