On Mon, 30 Sep 2002, peter wrote: > I know this has been covered many times before but, cannot find a good point of >reference. > > Anyway this is a Raq4 (fully patched inc SHP). > ipchains (via pmfirewall) defaults to DENY all then ALLOW the services I am running. > Portsentry (-stcp, -sudp) is set to a Trigger of 1 (paranoid) > > But because ipchains is denying packets the monitored ports do not trigger >Portsentry, causing the Raq to go into overdrive when a full port sweep is happening. >(I like to see what ipchains is upto so it is logging) > > What I want is a default DENY policy but Portsentry to see the port scans and then >drop the connections from that IP via ipchains. > > What is the best way to acheive this ? > > The only way I can think is re-open all the Portsentry monitored ports via ipchains, >but this seems a bit daft. >
ipchains logs to /var/log/kernel Gerald -- http://frontstreetnetworks.com | http://raqware.com Front Street Networks LLC | Phone: +1 203-785-0699 229 Front Street, Ste. C, New Haven, CT. 06513-3203 _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
