Developing a DNS block via httpBL and ZEN: Question about connection detection



  • Background
    On all my Linode and AWS cloud machines, I have a bash script I wrote up that tail's a log of incoming/passed connections, then checks the IP doing a DNS lookup with Spamhaus' ZEN (minus PBL). If it passes that test, it does a DNS lookup with httpBL, also known as the HoneyPot Project, with a configuration that allows you to specify the number of days since last infraction and the threat level. If it's considered bad, it uses iptables to drop packets from that host. Every X hours (configured) it then rechecks currently blocked IPs.

    I like this method because the DNS based lookups are quick to update, and httpBL not only provides a wealth of data on the IP in question, but is a unique community project on it's own. My personal experience is that it catches a lot of threat IPs before they get to Spamhaus, too.

    Question
    I would like to recreate the above for my PFSense machines in package format. Currently, the best way I can think to do this is to require turning on logging for any "pass" firewall rules that a user would like the package to monitor. My questions are:

    • Is there a better way to monitor passed connections in FreeBSD?

    • What would the "appropriate" way be to block an IP in PFSense from a package install?

    Thanks,
    Ben


Log in to reply