Hi Christoph,
sorry that I was salient... was quite swamped with RL etc.
so... in usual usecases we ask firewalls to start before fail2ban...
fail2ban uses 'iptables -I INPUT' which inserts its rule at linenum 1,
so fail2ban chains should be processed before anything else with evil
'-j ACCEPT'.
am I just too tired and missing the point? or everything should work as
desired? ;)
if I am not really correct and you just claim that sometimes smth
might start AFTER fail2ban an insert rules before it? well, then may be
we need to adjust actioncheck in iptables.conf to assure that first
lines are always the fail2ban's ones.
?
or am I lost?
On Mon, 16 Feb 2009, Christoph Anton Mitterer wrote:
> actionstart = iptables -N fail2ban-<name>
> iptables -A fail2ban-<name> -j RETURN
> iptables -I INPUT -p <protocol> --dport <port> -j
> fail2ban-<name>
> But the action start is very problematic: It simply appends the fail2ban
> rule to the chain.
> Now consider a system where I'm using iptables rules like this:
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT --destination hilbert.scientia.net --protocol tcp -m tcp
> --destination-port ssh --syn -j ACCEPT
> COMMIT
> These rules might be loaded at any point (e.g. via the pre-up
> of /etc/network/interfaces or some selfmade /etc/init.d/iptables
> script).
--
Yaroslav Halchenko
Research Assistant, Psychology Department, Rutgers-Newark
Student Ph.D. @ CS Dept. NJIT
Office: (973) 353-1412 | FWD: 82823 | Fax: (973) 353-1171
101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102
WWW: http://www.linkedin.com/in/yarik
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
