On 10/21/2013 7:57 AM, Brian J. Murrell wrote: > So, I have started to use fail2ban with shorewall. It looks like the > correct mechanism to use is shorewall drop along with BLACKLISTNEWONLY=No. > > The problem is that that ends up blocking the inbound traffic from > locally generated outbound sessions. > > My goal here is to add a drop/blacklist rule, dynamically, when fail2ban > detects a host is doing bad things. A portscan is a good example to use > for "bad things". But I also want to block/drop any established > "inbound" connections that are open, for example to shut down a > brute-force attacking of SSH that might have started before the portscan > started. > > The collateral damage here though is for example, IRC servers that I > want to connect to that want to do a portscan of me to make sure I'm not > an open relay. They end up blacklisted in the dynamic chain with no > regard to whether the packets it's dropping are from outbound > connections or inbound. > > Maybe the problem is that I'm wanting to have my cake and eat it too > since there is no concept of inbound/outbound with ESTABLISHED sessions. > > Thoughts?
Try this: /etc/shorewall/actions ban fail2ban /etc/shorewall/action.fail2ban ban - - /etc/shorewall/action.ban is empty /etc/shorewall/rules ?section ESTABLISHED fail2ban net all ?section NEW fail2ban net all Now have fail2ban add DROP or REJECT rules to the ban chain -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
