ipqbdb: IPQ BDB filter

This package works with iptables, on Linux kernels. It consists of five simple
programs designed to maintain a Berkeley DB of IPv4 addresses without admin
intervention.

Version 1.0 can reject incoming TCP connections and interrupt estabilished ones.

Man pages are still missing. However, each program has a --help option for
retrieving enough information. In case anything is unclear, there is a mailing
list. The rest of this file explains the main concept and the requirements.
INSTALL has detailed explanations and examples for building and installing.
Two additional files, READMEconcurrency and READMEcrash give some additional
insight on issues that may arise using Berkeley DB.


CONCEPT
=======
The daemon is inspired by the STOCKADE daemon (see link below.) Each record
features a decay and a probability. Banning an IP either inserts a new record
with the given probability, or doubles the probability of an existing record.
Probabilities define the likelihood that a packet will be blocked. They
decrease automatically: The decay is the time in which a probability halves.
It is possible to whitelist IP addresses in order to establish their initial
decay. The decay is increased whenever the probability passes a certain
boundary, so that repeatedly banned IPs end up with a slow decay.

Banning is accomplished by a command line utility, and by a log parsing
daemon. In that respect, ipqbdb is a light version of fail2ban (see link
below).

While decays are expressed as floating point values, probabilities are
integers in the range 0-RAND_MAX. However, the probability for newly inserted
records is specified giving a count, i.e. a number that defines the initial
probability such that doubling it for that many times results in a
probability of 100%.

Multiple block DBs may be used for multiple netfilter queues. What DBs are
used can be specified as command line options; frequently used options may
be saved in the popt config file.


REQUIREMENTS AND OTHER DETAILS
==============================

Programs:
ibd-judge  receives queued packets from the kernel and issues verdicts.
ibd-parse  parses log lines and inserts caught IPs in the database.
ibd-ban    ban a single ip, also inserts reason descriptions.
ibd-del    lists or deletes selected database records.
ibd-white  reads or writes a whitelist database.
ibd-config displays values hard-coded at compile time.

Config files:
/etc/ipqbdb.popt
/etc/ipqbdb-pcre.conf
any whitelist text that you supply to ibd-white

Databases:
block.db  the IPs being blocked
white.db  the whitelisted IPs
descr.db  the reason descriptions and statistics
__db.00?  the Bereley DB Environment (CDB)

See also:
stockade http://caia.swin.edu.au/stockade/
fail2ban http://www.fail2ban.org/wiki/index.php/Main_Page

Software required:
Linux kernel 2.6.14 or later, and Netfilter - http://www.netfilter.org/about.html
  you need the libnetfilter-queue-dev (debian) package, and
  your kernel must be compiled with the relevant CONFIG_NETFILTER* settings
  (check grep CONFIG_NETFILTER /boot/config-$(uname -r) | less
  CONFIG_NETFILTER_DEBUG is not much useful, though.)

Berkeley DB 4.6 or later - http://www.oracle.com/technology/software/products/berkeley-db/

PCRE e.g. libpcre3-dev (debian) package - http://www.pcre.org/

Popt e.g. libpopt-dev (debian) package - http://directory.fsf.org/project/popt/

