README: usage

README.md

@@ -1,20 +1,29 @@
 # AutoFW
 
-This tool is inspired by fail2ban.
+This tool is inspired by fail2ban, but is simpler and less forgiving.
+You provide it with a list of whitelisted and blacklisted IP addresses and ranges, and its output is a list of command to blacklist slightly larger IP ranges covering multiple IP addresses.
 
-Assumes UFW for now.
+It assumes UFW for now.
+
+## Examples
+
+- For a.b.c.0 and a.b.c.1 you will get a block on a.b.c.0/31.
+- For a.b.c.0 and a.b.c.255 you will get a block on a.b.c.0/24.
+- For a.b.c.x and a.b.d.y you will get a block on a.b.0.0/16, if there are at least 4 blacklisted IP addresses in the a.b.0.0 block.
 
 ## Building
 
 On Ubuntu:
-apt-get install -y cmake libpcre2-dev
-
-cmake .
-make
+- `apt-get install -y cmake libpcre2-dev`
+- `cmake .`
+- `make`
 
 ## Usage
 
-1. Create a file autofw.whitelist, containing IP addresses and ranges that should always be allowed to connect.
+Initially, create a file autofw.whitelist, containing IP addresses and ranges that should always be allowed to connect.
+
+Create a script that performs the tasks below. This can be run by cron.
+
 1. Collect all IP addresses and ranges to block into a new file, say `autofw.badips`. It may be a good idea to filter out entries in the whitelist.
 1. Run `ufw insert 1 deny from $ip` for each entry in `autofw.badips`. The ufw tool will automatically ignore duplicates.
 1. Collect all blacklisted addresses using the following command:
@@ -22,3 +31,12 @@ make
 1. Run `./autofw > ufw.updates`.
 1. Run the `ufw.updates` script.
 
+To block machines trying to attack your SMTP server sending invalid commands, you can use a command such as the one below.
+Then simply add additional commands as needed.
+
+	cat /var/log/mail.log |
+		grep 'non-SMTP command' |
+		awk '{print $8}' |
+		tr '[]' ' ' |
+		awk '{print $2}' >> autofw.badips
+