ipqbdb: IPQ BDB filter

IPtables is a popular firewall on GNU/Linux systems. It features the ability
to queue IP addresses to a user space daemon that can issue a verdict for
blocking the packet being examined. The IPQ BDB filter provides such user
space program that looks up a Berkeley DB data base of IPv4 addresses.

The daemon is designed to block addresses in a fuzzy fashion, inspired by
the STOCKADE daemon (see link below.) Each record features a decay and a
probability. Banning an IP either inserts a new record with the given
probability, or doubles the probability of an existing record. Probabilities
define the likelihood that a packet will be blocked. They decrease
automatically: The decay is the time in which a probability halves. It is
possible to whitelist IP addresses in order to establish their initial decay.
The decay is increased whenever the probability passes a certain boundary, so
that repeatedly banned IPs end up with a slow decay.

Banning is accomplished by a command line utility, and by a log parsing
daemon. In that respect, ipqbdb is a light version of fail2ban (see link
below).

While decays are expressed as floating point values, probabilities are
integers in the range 0-RAND_MAX. However, the probability for newly inserted
records is specified giving a count, i.e. a number that defines the initial
probability such that doubling it for that many times results in a
probability of 100%.

Multiple block DBs can be used for multiple netfilter queues. What DBs are
used can be specified as command line options; frequently used options may
be saved in the popt config file.

Programs:
ipqbdbd   main daemon, receives queued packets from the kernel and issues verdicts.
ibd-parse log parsing daemon.
ibd-ban   ban a single ip, also inserts reason descriptions.
ibd-del   lists or deletes a block database.
ibd-white reads or writes a whitelist database.

Config files:
/etc/ipqbdb.popt
/etc/ipqbdb-pcre.conf
whitelist text

Databases:
block     the IPs being blocked
white     the whitelisted IPs
descr     the reason descriptions

See also:
stockade http://caia.swin.edu.au/stockade/
fail2ban http://www.fail2ban.org/wiki/index.php/Main_Page

Software Required:
Netfilter - GPLv2 or later http://www.netfilter.org/about.html
  you need the libnetfilter-queue-dev (debian) package, and
  your kernel must be compiled with the relevant CONFIG_NETFILTER* settings.
Berkeley DB - GPL and other http://www.oracle.com/technology/software/products/berkeley-db/htdocs/licensing.html
  ipqbdb is being tested with version 4.4
PCRE - BSD http://www.pcre.org/
Popt - GNU http://directory.fsf.org/project/popt/
