Robert Lindgren wrote:
> ...
>> Robert Lindgren wrote:
>>
>> > Is it possible to blacklist an ip but only for a specific port?
>> > shorewall drop <ip> <port> that is?
>> >
>>...
> Are there any plans adding such a feature? The reason for such a
> feature is that I want to block a specific ip from a specific port,
> lets say 22 since there has been abuse on that port, with something
> like fail2ban, but I still want clients from that IP to be able to
> access for example port 80.
>
> Not sure if this is possible with the static blacklist, since it
> problable sets up a blacklist table for blacklist and then I can add
> to that list with iptables commands.
>
> Well anyway it would be handy to have the option to only block a
> specific port in the dynamic blacklist.
I've been doing a bit of thinking about this, having spent most of the
day messing around with fail2ban in order to mitigate the effects of
some crazy spam attacks.
The dynamic blacklist is just a normal table called dynamic. There is
nothing to stop you putting stuff in there manually in a way that suits
your needs. So instead of running
shorewall drop IP
you would run
iptables -A dynamic --src IP --proto tcp --dport 22 -j DROP
The equivalent of
shorewall allow IP
would in this case be
iptables -D dynamic --src IP --proto tcp --dport 22 -j DROP
I personally don't see the need to blacklist this way (given that the
host is likely compromised and thus you shouldn't trust any traffic from
it), but there's nothing to say you can't do it if it makes sense to
you. (One exception to this rule about compromised hosts might be port
80, which is commonly transparently proxied by ISPs.)
In my fail2ban configuration i ended up using the dynamic blacklist as
is, plus a null route command to prevent outgoing traffic to that host.
(Thanks to Tuomo Soini for tips on this.) I also set
BLACKLISTNEWONLY=No in shorewall.conf to make sure that packets which
are part of existing connections get dropped. The particular spambot
which is attacking my server attempts to relay multiple messages in a
single (authenticated) TCP connection.
Caveat: Note the performance considerations for blacklists in Shorewall
at http://www.shorewall.net/blacklisting_support.htm
Paul
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
