pardon my ignorance -- isn't --syn implied by -m state --state NEW? if so then we already have it in action iptables-new.conf.
On Mon, 20 Aug 2007, Pierre Chifflier wrote: > Package: fail2ban > Version: 0.8.1-1 > Severity: wishlist > Tags: patch > --- Please enter the report below this line. --- > fail2ban generate rules for iptables matching only the port, for ex: > -A INPUT -p tcp -m multiport --dports 22,115 -j fail2ban-ssh > This is bad, and can result in a nice DoS for NATed users if two users > share the same IP, and one fails 3 times to login, then all connections > (including already established) are banned. > Proposed solution: filter only SYN paquets, so that established > connexions are not affected, only new (patch attached for > iptables-multiport, same solution could be applied to other actions as > well). > Regards, > Pierre > --- System information. --- > Architecture: amd64 > Kernel: Linux 2.6.21-2-amd64 > Debian Release: lenny/sid > 500 unstable ftp2.fr.debian.org > --- Package information. --- > Depends (Version) | Installed > =============================-+-=========== > python-central (>= 0.5.8) | 0.5.14 > python (>= 2.4) | 2.4.4-6 > iptables | 1.3.8.0debian1-1 > lsb-base (>= 2.0-7) | 3.1-24 -- Yaroslav Halchenko Research Assistant, Psychology Department, Rutgers-Newark Student Ph.D. @ CS Dept. NJIT Office: (973) 353-5440x263 | FWD: 82823 | Fax: (973) 353-1171 101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102 WWW: http://www.linkedin.com/in/yarik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]