On Fri, 2013-02-08 at 08:23 +0000, Stuart Henderson wrote: > On 2013-02-07, Martijn van Duren <martijn...@gmail.com> wrote: > > Thanks for all the quick responses, but if I understand you all > > correctly there is no way to cut off an established connection by adding > > an ip address to a blocked table, so I'm still left with my two stage > > drop off the connection (both adding the the ip to the table and killing > > the connection manually). > > Correct because the state table is checked *before* packets run through the > firewall ruleset. >
Correct me if I'm wrong, but isn't that still somewhat dangerous? Say the next situation: I have a rule in my firewall that limits ssh connections to 3 every 30 seconds, if you exceed it your ip address is added to a table that has a drop quick on it. Now at the same time that same ip-adress is brute forcing on my ftp-port without building up a new connection between retries. When this ip address is automatically added to the blocked table he is qualified as bad traffic and I'd expect that other traffic to my server is cut short by then. Of course this is only an example of how an ip address could be automatically added to a table and I don't expect that every method is capable of also (easily,) automatically destroying an active connection. Martijn