Re: iptables recent / more than one exception

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2012/05/03 10:57, Reindl Harald wrote:



Am 03.05.2012 19:46, schrieb Paul W. Frields:

On Thu, May 03, 2012 at 04:21:20PM +0200, Reindl Harald wrote:

is there any way to specify here more than one source-address
(the usual comma seperated way does not work in this context)

a complete ACCEPT before is no solution because it would bypass
any selective ACCEPT-rule

iptables -I INPUT -p tcp -i eth0 ! -s $LOCAL_NETWORK -m state --state NEW -m recent --set
iptables -I INPUT -p tcp -i eth0 ! -s $LOCAL_NETWORK -m state --state NEW -m recent --update --seconds 1 --hitcount  75 -j REJECT --reject-with tcp-reset


Even when you use comma-separated addresses (allowed when not using
the '!' operator), iptables actually creates separate rules in
response to the command.  I believe that's what you need to do in this
situation


in theory yes
but practically the reject of this rule would be triggered

a secuity auditor from a customer is whining the he no longer
can make security-scans and it will get hard to arue that
we can not whitelist him in this case :-(


Ah, wait a minute. If he cannot make security scans neither can
anybody else. So defacto his job is finished.

For any exception you place into the rules to allow him to scan you must
think VERY carefully what it's effects will be. You might accidentally
open up the internal network to him leading to a false positive detection
from his security scan.

You might sit down with him and work out a plan for what should be done
so he can do his job and you can have the "recent" rule still protecting
your network. Collaboration and education may be your best friend here.
He is, after all, really an ally even when taking on the mantle of an
adversary for security auditing. Besides, you might get the delight of
seeing the lights go on in another person's head when he grasps just what
it is you did which is keeping him, and all others who look like malicious
access attempts, out of your system. Lead him gently to the knowledge and
the results can be more than worth your time and effort.

{^_^}
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux