Currently when I want to dynamically blacklist an ip I can run : # shorewall block $ip However the rules that are added are generated from -A loc2net -m conntrack --ctstate NEW,INVALID -j dynamic -A net2loc -m conntrack --ctstate NEW,INVALID -j dynamic ... and so on. So if I want to block an IP that's already has an ESTABLISHED connection, i have to block it, then kill the connection. In my case I had to do something like: # shorewall drop $ip # sysctl -w net.netfilter.nf_conntrack_udplite_timeout_stream=0 # sleep 2s # sysctl -w net.netfilter.nf_conntrack_udplite_timeout_stream=180 (default value)
note: I was dealing with a UDP connection (established SIP which times out in 180s) The problem I see is that when we want to add to the blacklist dynamically, there's probably an immediate issue that needs resolution. If it was premeditated we'd just add the ip to blacklist or blrules. Is it possible to change the ctstate for the target chain 'dynamic' to include ESTABLISH?? Thanks ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
