On 2012/05/03 10:57, Reindl Harald wrote:
Am 03.05.2012 19:46, schrieb Paul W. Frields:
On Thu, May 03, 2012 at 04:21:20PM +0200, Reindl Harald wrote:
is there any way to specify here more than one source-address
(the usual comma seperated way does not work in this context)
a complete ACCEPT before is no solution because it would bypass
any selective ACCEPT-rule
iptables -I INPUT -p tcp -i eth0 ! -s $LOCAL_NETWORK -m state --state NEW -m recent --set
iptables -I INPUT -p tcp -i eth0 ! -s $LOCAL_NETWORK -m state --state NEW -m recent --update --seconds 1 --hitcount 75 -j REJECT --reject-with tcp-reset
Even when you use comma-separated addresses (allowed when not using
the '!' operator), iptables actually creates separate rules in
response to the command. I believe that's what you need to do in this
situation
in theory yes
but practically the reject of this rule would be triggered
a secuity auditor from a customer is whining the he no longer
can make security-scans and it will get hard to arue that
we can not whitelist him in this case :-(
Ah, wait a minute. If he cannot make security scans neither can
anybody else. So defacto his job is finished.
For any exception you place into the rules to allow him to scan you must
think VERY carefully what it's effects will be. You might accidentally
open up the internal network to him leading to a false positive detection
from his security scan.
You might sit down with him and work out a plan for what should be done
so he can do his job and you can have the "recent" rule still protecting
your network. Collaboration and education may be your best friend here.
He is, after all, really an ally even when taking on the mantle of an
adversary for security auditing. Besides, you might get the delight of
seeing the lights go on in another person's head when he grasps just what
it is you did which is keeping him, and all others who look like malicious
access attempts, out of your system. Lead him gently to the knowledge and
the results can be more than worth your time and effort.
{^_^}
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org