Robert Lindgren wrote:
Thanks Tom,Are there any plans adding such a feature?
No.
The reason for such a feature is that I want to block a specific ip from a specific port, lets say 22 since there has been abuse on that port, with something like fail2ban, but I still want clients from that IP to be able to access for example port 80. Not sure if this is possible with the static blacklist, since it problable sets up a blacklist table for blacklist and then I can add to that list with iptables commands.
It is very possible with a blacklist based on ipsets. There are examples in the documentation.
Unfortunately, ipsets still require kernel patching but they are by far the best mechanism available for maintaining large and/or dynamic sets of IP addresses and/or IP-Address/port pairs.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
