Another way to solve it is to use some tool that is able to manipulate the state table, and then you prematurely expire the entires for clients that get banned. I googled and it seems netfilter are able to manipulate state table. That will cause packets from banned clients to immediately be dropped after a ban.
-----Ursprungligt meddelande----- Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] För Kiss Gábor Skickat: den 21 februari 2016 12:11 Till: Sebastian Nielsen <sebast...@sebbe.eu> Kopia: postfix-users@postfix.org Ämne: Re: SV: Security: How to limit authentication attempts? Dear Sebastian, > To make sure fail2ban breaks the connection, you need to put the > fail2ban rules BEFORE any "ESTABLISHED,RELATED" rule. As I wrote this is what I wish to avoid if possible. I don't want an unnecessary check against a list of banned addresses on _every_ IP packet. Regards Gabor
smime.p7s
Description: S/MIME Cryptographic Signature