Re: [Fail2ban-users] apache-noscript

Nick Howitt Wed, 28 Nov 2018 01:39:03 -0800

If Shorewall works the same as iptables, existing connections are ESTABLISHED rather than NEW so won't be terminated. Personally I'd remove all selectors on the packet state or cstate so the firewall acts on all packets. Otherwise you need to add the Shorewall equivalent of ESTABLISHED and RELATED and there is no point in adding all possible state options. It is easier to remove the state/cstate selector.

Again, but not knowing Shorewall, I am surprised there is only one blocking chain for f2b. This means, conceptually, one jail can unblock another jail's bans which is not good if both jails are blocking the same IP for different reasons.

On 28/11/2018 09:10, Koenraad Lelong wrote:

Hi,
Now I'm studying to output of iptables a little more I think I made a mistake by removing the NEW keyword from the BLACKLIST-clause. I set it back again.
Remains the problem that persistent html-connections are not terminated.

Met vriendelijke groeten,

Koenraad Lelong

B.T.W. I'm using shorewall as a firewall. I already modified it's main config file to :
BLACKLIST="INVALID,UNTRACKED" (i.e. I removed the NEW keyword).
I did this because the standard config didn't work also.

_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] apache-noscript

Reply via email to