It looks like people were more interested in whinging about receiving
a few emails from auto-responders (yes, I realize life can be tough)
that answering the question, so...
On Wed, Feb 28, 2001 at 09:01:12PM -0500, [EMAIL PROTECTED] wrote:
> Is there any reason in particular why PortSentry and an IPChains
> firewall would not work together?
>
> I ask this because ever since I implemented my IPChains firewall
> PortSentry no longer logs scans and since does not add the offender to the
> ipchains rules. I am pretty certain that part of the reason is due to the
> default rule being DENY and then just allowing certain
> hosts/packets/etc...
The ipchains rules filter out the packets before PortSentry has a chance
to see then and consider whether they're portscans or not. You'll only
see PortScan pick up the packets if they get thru the ipchains filters.
> I guess what I really am asking is: Is there a way to have the best of
> both worlds? I like the security of the default rule being DENY, but I
> also really liked the way PortSentry handled scans as far as the logging
> and the addition of their IP to the rules, thus specifically denying
> anything from that IP.
You could always log the ipchains-DENYd packets, pick up the IP addresses
from that, and block those addresses. I haven't looked at the PortSentry
source code but it should be easy enough to swipe the code for that. Um,
I mean be inspired by it.
Stil
--
Stilgherrian, Operations Manager
Taurfish Technology Services (ARBN V8636744)
http://www.taurfish.com.au/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
