So, I have started to use fail2ban with shorewall. It looks like the correct mechanism to use is shorewall drop along with BLACKLISTNEWONLY=No.
The problem is that that ends up blocking the inbound traffic from locally generated outbound sessions. My goal here is to add a drop/blacklist rule, dynamically, when fail2ban detects a host is doing bad things. A portscan is a good example to use for "bad things". But I also want to block/drop any established "inbound" connections that are open, for example to shut down a brute-force attacking of SSH that might have started before the portscan started. The collateral damage here though is for example, IRC servers that I want to connect to that want to do a portscan of me to make sure I'm not an open relay. They end up blacklisted in the dynamic chain with no regard to whether the packets it's dropping are from outbound connections or inbound. Maybe the problem is that I'm wanting to have my cake and eat it too since there is no concept of inbound/outbound with ESTABLISHED sessions. Thoughts? b.
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
