On 07/17/2013 05:10 PM, johnny bowen wrote: > Currently when I want to dynamically blacklist an ip I can run : > # shorewall block $ip > However the rules that are added are generated from > -A loc2net -m conntrack --ctstate NEW,INVALID -j dynamic > -A net2loc -m conntrack --ctstate NEW,INVALID -j dynamic > ... and so on. > So if I want to block an IP that's already has an ESTABLISHED > connection, i have to block it, then kill the connection. In my case I > had to do something like: > # shorewall drop $ip > # sysctl -w net.netfilter.nf_conntrack_udplite_timeout_stream=0 > # sleep 2s > # sysctl -w net.netfilter.nf_conntrack_udplite_timeout_stream=180 > (default value) > > note: I was dealing with a UDP connection (established SIP which times > out in 180s) > > The problem I see is that when we want to add to the blacklist > dynamically, there's probably an immediate issue that needs > resolution. If it was premeditated we'd just add the ip to blacklist > or blrules. > > Is it possible to change the ctstate for the target chain 'dynamic' to > include ESTABLISH??
Depending on your shorewall version, check out BLACKLISTNEWONLY or BLACKLIST in shorewall.conf (5). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
