ipqbdb: IPQ BDB filter
https://savannah.nongnu.org/projects/ipqbdb/

This package works with iptables, on Linux kernels.  It consists of five simple
programs designed to maintain a Berkeley DB of IPv4 addresses without admin
intervention.

Man pages are still missing.  However, each program has a --help option for
retrieving enough information.  In case anything is unclear, there is a mailing
list.  The rest of this file explains the main concept and the requirements.
INSTALL has detailed explanations and examples for building and installing.
Two additional files, READMEconcurrency and READMEcrash give some additional
insight on issues that may arise using Berkeley DB.  READMEphp exemplifies use
of ibd-ban in PHP functions.


CONCEPT
=======
The daemon is inspired by the STOCKADE daemon (see link below.)  Each IP record
features a decay and a probability.  Banning an IP either inserts a new record
with the given probability, or doubles the probability of an existing record.
Probabilities define the likelihood that a packet will be blocked.  They
decrease automatically:  The decay is the time in which a probability halves.
It is possible to whitelist IP addresses in order to establish their initial
decay.  The decay is increased whenever the probability passes a certain
threshold upward, so that repeatedly banned IPs end up with a slower decay.

Banning is accomplished by a command line utility and a log parsing daemon.  In
that respect, ipqbdb is a light version of fail2ban (see link below).

While decays are expressed as floating point values, probabilities are integers
in the range 0-RAND_MAX.  However, the probability for newly inserted records
is specified giving a count, i.e. a number that defines the initial probability
such that doubling it for that many times results in a probability of 100%.


REQUIREMENTS AND OTHER DETAILS
==============================

Programs:
ibd-judge   receives queued packets from the kernel and issues verdicts.
ibd-parse   parses log lines and inserts caught IPs in the database.
ibd-ban     ban a single ip, also inserts reason descriptions.
ibd-del     lists or deletes selected database records.
ibd-white   reads or writes a whitelist database.
ibd-config  displays compile-time configuration values.

Config files:
/etc/ipqbdb.popt
/etc/ipqbdb-pcre.conf
/etc/ipqbdb-connkill.cmd
any whitelist text that you supply to ibd-white

Databases:
block.db    the IPs being blocked
white.db    the whitelisted IPs
descr.db    the reason descriptions and statistics
__db.00?    the Bereley DB Environment (CDB)

See also:
stockade    http://caia.swin.edu.au/stockade/
fail2ban    http://www.fail2ban.org/wiki/index.php/Main_Page

Software required:
Linux kernel 2.6.14 or later, and Netfilter - http://www.netfilter.org/about.html
 your kernel must be compiled with the relevant CONFIG_NETFILTER* settings
 (check grep CONFIG_NETFILTER /boot/config-$(uname -r) | less
 CONFIG_NETFILTER_DEBUG is not much useful, though.)

Libnetfilter_queue - http://www.netfilter.org/projects/libnetfilter_queue/
 (this in turn requires libnfnetlink)
 You are *STRONGLY* advised to use libnetfilter_queue 0.0.17 or better,
 otherwise queue errors may freeze the daemon (see READMEcrash); you may want
 to see also "Installing libnetfilter_queue on lenny" in INSTALL, if using
 older Debian distros.

Berkeley DB 4.6 or later - http://www.oracle.com/technology/software/products/berkeley-db/

PCRE e.g. libpcre3-dev (debian) package - http://www.pcre.org/

Popt e.g. libpopt-dev (debian) package - http://directory.fsf.org/project/popt/

