Hello, Lately I've been running into a situation that might call for a feature request: I'm running fail2ban to ban bot requests to our web and smtp/imap services. The action for fail2ban is set to shorewall; this way we have all firewall rules injected from the same interface. All fail2ban does is to issue shorewall drop/allow [IP] commands.
But: sometimes real clients get banned. Whether they forgot their email password, or forgot Caps Lock on, doesn't matter. The thing is it would be nice if, banned on smtp for example, they should still be able to access our site to issue a support request. So here's the feature request: Is there a way to add a rule to the dynamic blacklist to drop packets to only one or, maybe, a few specific ports, and therefore allowing the rest of the traffic ? I've had a look into the sources and it looks like the drop/allow functions get called in multiple ways, accounting for IP ranges and maybe more parameters that I'm not aware of. So to me it's not that trivial to accomodate the desired change. Even so, all modificatios would dissapear upon upgrading, which makes things more difficult to manage. Thanks, Marius ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
