[Firehol-support] Automatic blacklisting of scanners/brute-force attacks

Carlos Rodrigues cefrodrigues at gmail.com
Fri Jan 23 23:43:01 GMT 2009

On Fri, Jan 23, 2009 at 10:58 AM, Mirko Buffoni <firehol at synthesys.it> wrote:
> Then I didn't understand the following statement:
>> Keep in mind that when a new connection is not allowed,
>> the traffic will continue to be matched by the rest of
>> the firewall. In other words, if the traffic is not allowed
>> due to the limitations set here, it is not dropped.
>> It is just not matched by this rule.

That's the intuitive behavior, I guess (at least I find it intuitive).

If you have an interface and add an "accept" rule with the "with
recent" option, if the client exceeds the number of hits the rule
doesn't match and the traffic will eventually hit the interface policy
(which means it's blocked by default). If you have the inverse
("policy accept") and a "reject" rule with "with recent", then the
traffic will be rejected until it exceeds the hit count (altough I'm
not finding any useful application for this).

> I supposed this was different than the counting solution
> I proposed.  This also allow only 1 counter to be specified.

Re-reading your previous message, I must say I think it isn't possible
to do what you want with FireHOL (although you can obviously add those
iptables rules to your FireHOL configuration).


Carlos Rodrigues

More information about the Firehol-support mailing list