On 13-10-23 10:57 PM, Thomas D. wrote: > Hi, Hi,
> I guess you were aware about the pro/cons when choosing an LTS release, > weren't you? ;) Of course. > However, it should be easy to backport a current shorewall release (you > could use the official SRC package from testing/SID and re-build it > against your LTS version). Yeah, the building of the packages is not the hard part. It's deciding to get on that self-maintenance treadmill and more importantly bringing my current configuration up to the level needed by the newer releases. I actually did start down this road the other day but I didn't have the time to research why my current configuration was causing shorewall to barf. > For me, backporting a package is much more easier than fighting with an > outdated version knowing that all your problems are addressed in a > current version. Sure, if your current configuration "just works". > With "too sensitive" I meant something like: > > 1: Source A can try to connect to port 80 at 13:00:00. > > 2: Source A can try to connect to port 443 at 13:00:01. > > 3: Source A can try to connect to port 8080 at 13:00:02. > > 4: But source A cannot try to connect to port 3128 at 13:00:03 anymore, > because source A was blacklisted at 13:00:02 due to your portscan > rule, which only allows 3 unsuccessful scans within 5 seconds. > > => 3 unsuccessful connections within 5 seconds are too sensitive I disagree. The time is actually quite irrelevant. It's the activity. If you want to portscan, welcome to my blacklist. As much as you have a coerced agreement from me to authorize a portscan because I connected to one of your machines, I have an agreement here that if you portscan me, I blacklist you. > If you have to deal with this kind of legitimate "legitimate" is a very grey area here. > network traffic, you > cannot use such a sensitive rule (or you have to whitelist). > And to be honest, I don't consider port scans as important. They are important in as much as they fill the logs with cruft and bury more interesting stuff. > Furthermore > I don't think I gain much information from denied traffic at all (but I > am still logging denied traffic, but using a limit like Tom). Money quote: > >> Enabling logging of "allow" actions gives you visibility into all >> traffic into the environment. This is especially important since most >> threats target open ports rather than closed. That is an interesting perspective. b.
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
