Re: [m0n0wall] Block list of WAN IP addresses?

From:	Alex Neuman <alex at nkpanama dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Block list of WAN IP addresses?
Date:	Tue, 16 May 2006 19:13:28 -0500

Steve Johnson escribió:
>
> If it's not currently possible, please consider this as a feature 
> request.
It's probably not possible in the same sense you mention because of the 
way the packet filter works; postfix checks the database or file every 
time it receives a connection; m0n0 would have to do that with every 
single incoming packet. That's why firewall rules work the way they work 
- they're all in RAM, all the time.

One thing that *could* be done is to use a a different method. You could 
look into implementing things at your server's own firewall. One example 
would be to set up a cron job that looks at /var/log/maillog, greps for 
more than one failed attempt from a specific IP, records the IP and the 
time in a small, quick DB (berkeley db for example), executes a firewall 
rule to drop (or tarpit) packets from that IP, and the next time it runs 
it looks for old entries to expire.

I think I saw something like that a while back... Similar to 
http://mr.uue.org/projects/skds/ - it's for auth.log, but the idea is 
similar. There is a thread about it at 
http://forum.ev1servers.net/printthread.php?t=50435&page=4&pp=40 as well.