Quoting Vieri Di Paola <vieridipa...@yahoo.com>:
Hi, Suppose I have rules such as: ACCEPT net $FW tcp 80,443 DNAT net loc:IP tcp 3389 [...etc...]I'd like to automatically/dynamically blacklist all IP addresses of hosts that try to connect to any other unlisted port (eg. port tcp 2222 or 1234, etc.). So if a host tries to connect to port tcp 1234 (on which my site does not serve anything) I'd like the "net" SRC address to be blacklisted "globally", ie. it should not be able to connect to ANY port, not even those listed above (80,443,3389), for at least 1 hour.
Personally I use PSAD for this, it works nicely with Shorewall. I'm a little more obnoxious and set it to a 24 hr block. ;)
I've read about shorewall events (BTW there's a missing ',-' in the example 'AutoBL(SSH,-,-,-,REJECT,warn)') but I'm not sure if it fits my needs.The following doesn't seem to do what I want: ACCEPT net $FW tcp 80,443 DNAT net loc:IP tcp 3389 [...etc...] AutoBL(ABL,10,1,-,3600,REJECT,info) net $FW allAren't the IP addresses in ABL_BL supposed to be REJECTed regardless of where they're trying to connect to?Maybe there's a simpler way to do this with Shorewall actions and dynamic blacklisting?Thanks, Vieri ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
-- Mark D. Montgomery II http://www.techiem2.net
binW43PSfJ8A7.bin
Description: PGP Public Key
pgpWdOTcH2HRd.pgp
Description: PGP Digital Signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
