adaptive-firewall — Adaptive Firewall
Adaptive Firewall is a module that can protect against both locally identified and globally shared lists of attackers. The blocking is executed by the pf(4) system component and the Adaptive Firewall controls it by changing the content of specific pf tables. The SQL databases and pf tables related to Adaptive Firewall can be managed by the kat.af command.
The autonomous part of the Adaptive Firewall module
works with data collected from local traps.
The attackers are stored into various tables of a local database
called IDS (Intrusion Detection System)
implemented as SQLite file /data/var/db/af/ids.db.
It contains the following tables:
AKBL4Addresses of clients already blocked that tried to access the firewall again.
HPOT4Addresses caught by the Honeypot trap (see below).
Records in this table can have
an HPOT_SYN flag, this means that
this address occured only in SYN packet and
so it might be faked.
Such addresses are not blocked.
SRCT4Addresses caught by Suricata.
SSHD4Addresses found in
the /var/log/auth.log
as a client unsuccessfully trying to log in
an ssh server.
Records in this table can have
an SSHD_REP flag, this means that
number of attempts reached limit configured
in the adaptive-firewall(5) configuration and the address
will be reported as an attacker.
This table is defined by a watchdog
section of the configuration.
Similarly, other database tables can exist if defined
by other instances of this section.
Data remains in the IDS tables until is cleaned due to expired lifetime.
The lifetime and the time of the day when the cleanup is executed
are configured in the auto-blocking section.
The newly caught data from the IDS database is periodically
converted to an IPS (Intrusion Protection System) database
by the af-db.sh command.
The IPS database is
implemented as SQLite file /data/var/db/af/ips.db.
Currently, it contains only one table, IPV4.
The new content of the IPS SQL database is then loaded to
the auto-blocking pf table
by the af-reload command.
The period of this refresh is configured in section
auto-blocking.
Content of the IDS and IPS SQL database tables can be modified by the af-db.sh script but due to the nature of the refreshment process, an address removal, for instance, must be done by a special unblock subcommand of the kat.af.
The globally shared list is called adaptive-database
and it can be periodically downloaded from a central server.
The download parameters are configured in global section
update.
The downloaded database is first filtered according to
the adaptive-database.policy-level,
adaptive-database.max-entries and
whitelist options.
Then, the list of addresses is stored to pf tables
adaptive-database-any-block,
adaptive-database-src-block and
adaptive-database-dst-block,
according to the original database source.
Any activity from or to blocked addresses is registered and stored into the IDS SQL database tables ADAB, ADSB and ADDB that correspond to the pf table holding the particular address. This data are used only for feedback to the central server. The ADFB table is for an internal purpose only.
Honeypot is a special Adaptive Firewall function targeted against port scanning. There is a special IP address (or more), unused and unpublished. On a given port range (can be also 1-65535) on this address, there is the pf-control(8) daemon listening. The daemon accepts and closes every connection, and it adds the client to the HPOT (HPOT4) table in the IDS SQL database.
If a client tries only sending a SYN packet, it is also added to the database, but no restriction is used since the source address can be faked.