[rescue] A perverse thought (SGI security division)

Caleb Shay caleb at webninja.com
Thu Mar 11 15:46:43 CST 2004

On 2004-03-11 16:35:39 -0500 Sheldon T. Hall <shel at cmhcsys.com> wrote:

> Caleb Shay suggests ...

<snip "nasty tarpit method to deal with portscanners">

> Yeah, I like that even better!
> I just have to get a better firewall than a "DSL router" to implement 
> that
> sort of thing!

Well, I know many people swear by openbsd for their firewalls.  I'm 
sure it's good, but I figure any firewall I set up with openbsd is 
going to be less secure than one I set up with linux since I know 
linux and I don't know openbsd.

If you want to go the linux route, here's info on setting up tarpit 
rules (among other fun things) for linux iptables firewalls:


The executive summary would be:

iptables -A INPUT -p tcp -m tcp -s ${BADIP} -j TARPIT



More information about the rescue mailing list