On 13-10-21 05:53 PM, Thomas D. wrote: > Hi, Hi Thomas,
> Why don't you use fail2ban with ipset? Good idea. I looked into this. It seems this simplifies the problem quite a bit, if I've got it right. > ipsets offer better performance over multiple rules. Indeed. So, just to make sure I have this right, disregard all of the previously discussed solution WRT to actions, etc. and simply add to the shorewall blacklist file: +fail2ban +fail2ban_perm and then create the two ipsets with: ipset -N fail2ban_perm iphash ipset -N fail2ban iphash and then have fail2ban simply add and remove entries from the ipset, correct? I can achieve my goal of allowing connections *to* blacklisted sites to be permitted by adding the following hack to started: $IPTABLES -I blacklst -m conntrack --ctdir REPLY -j RETURN and I'm seem to be good to go. Do I have that all correct? As an aside I wonder if it's a worthwhile feature to have a setting to allow connections *to* blacklisted sites and to add the above to the blacklst chain if that setting is enabled. What do you think Tom? Cheers, b.
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
