Re: iptables recent / more than one exception

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On 2012/05/03 10:57, Reindl Harald wrote:


Am 03.05.2012 19:46, schrieb Paul W. Frields:
On Thu, May 03, 2012 at 04:21:20PM +0200, Reindl Harald wrote:
is there any way to specify here more than one source-address
(the usual comma seperated way does not work in this context)

a complete ACCEPT before is no solution because it would bypass
any selective ACCEPT-rule

iptables -I INPUT -p tcp -i eth0 ! -s $LOCAL_NETWORK -m state --state NEW -m recent --set
iptables -I INPUT -p tcp -i eth0 ! -s $LOCAL_NETWORK -m state --state NEW -m recent --update --seconds 1 --hitcount  75 -j REJECT --reject-with tcp-reset

Even when you use comma-separated addresses (allowed when not using
the '!' operator), iptables actually creates separate rules in
response to the command.  I believe that's what you need to do in this
situation

in theory yes
but practically the reject of this rule would be triggered

a secuity auditor from a customer is whining the he no longer
can make security-scans and it will get hard to arue that
we can not whitelist him in this case :-(

Ah, wait a minute. If he cannot make security scans neither can
anybody else. So defacto his job is finished.

For any exception you place into the rules to allow him to scan you must
think VERY carefully what it's effects will be. You might accidentally
open up the internal network to him leading to a false positive detection
from his security scan.

You might sit down with him and work out a plan for what should be done
so he can do his job and you can have the "recent" rule still protecting
your network. Collaboration and education may be your best friend here.
He is, after all, really an ally even when taking on the mantle of an
adversary for security auditing. Besides, you might get the delight of
seeing the lights go on in another person's head when he grasps just what
it is you did which is keeping him, and all others who look like malicious
access attempts, out of your system. Lead him gently to the knowledge and
the results can be more than worth your time and effort.

{^_^}
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org



Photo 4 Less

[Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Find Someone Special]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

Add to Google Powered by Linux