adaptive-firewall — Adaptive Firewall


Adaptive Firewall is a module that can protect against both locally identified and globally shared lists of attackers. The blocking is executed by the pf(4) system component and the Adaptive Firewall controls it by changing the content of specific pf tables. The SQL databases and pf tables related to Adaptive Firewall can be managed by the command.

Autonomous blocking

The autonomous part of the Adaptive Firewall module works with data collected from local traps. The attackers are stored into various tables of a local database called IDS (Intrusion Detection System) implemented as SQLite file /data/var/db/af/ids.db. It contains the following tables:


Addresses of clients already blocked that tried to access the firewall again.


Addresses caught by the Honeypot trap (see below).

Records in this table can have an HPOT_SYN flag, this means that this address occured only in SYN packet and so it might be faked. Such addresses are not blocked.


Addresses caught by Suricata.


Addresses found in the /var/log/auth.log as a client unsuccessfully trying to log in an ssh server.

Records in this table can have an SSHD_REP flag, this means that number of attempts reached limit configured in the adaptive-firewall(5) configuration and the address will be reported as an attacker.

This table is defined by a watchdog section of the configuration. Similarly, other database tables can exist if defined by other instances of this section.

Data remains in the IDS tables until is cleaned due to expired lifetime. The lifetime and the time of the day when the cleanup is executed are configured in the auto-blocking section.

The newly caught data from the IDS database is periodically converted to an IPS (Intrusion Protection System) database by the command. The IPS database is implemented as SQLite file /data/var/db/af/ips.db. Currently, it contains only one table, IPV4. The new content of the IPS SQL database is then loaded to the auto-blocking pf table by the af-reload command. The period of this refresh is configured in section auto-blocking.

Content of the IDS and IPS SQL database tables can be modified by the script but due to the nature of the refreshment process, an address removal, for instance, must be done by a special unblock subcommand of the

Adaptive database

The globally shared list is called adaptive-database and it can be periodically downloaded from a central server. The download parameters are configured in global section update. The downloaded database is first filtered according to the adaptive-database.policy-level, adaptive-database.max-entries and whitelist options. Then, the list of addresses is stored to pf tables adaptive-database-any-block, adaptive-database-src-block and adaptive-database-dst-block, according to the original database source.

Any activity from or to blocked addresses is registered and stored into the IDS SQL database tables ADAB, ADSB and ADDB that correspond to the pf table holding the particular address. This data are used only for feedback to the central server. The ADFB table is for an internal purpose only.


Honeypot is a special Adaptive Firewall function targeted against port scanning. There is a special IP address (or more), unused and unpublished. On a given port range (can be also 1-65535) on this address, there is the pf-control(8) daemon listening. The daemon accepts and closes every connection, and it adds the client to the HPOT (HPOT4) table in the IDS SQL database.

If a client tries only sending a SYN packet, it is also added to the database, but no restriction is used since the source address can be faked.

See Also


pf-control.cfg(5),, kat(8), pf-control(8)


This man page is a part of Kernun Firewall.
Copyright © 2000–2023 Trusted Network Solutions, a. s.
All rights reserved.