Shorewall users - Oct 2002 - Shorewall Howto

Hi there all, 

Shorewall is a great product but I have one question which I am not to
sure if it is possible and if it is a limitation of shorewall or
IPTables.

If somebody does a portscan on my firewall I would like to add a script
that will deny them from all future access to my ip address. It is
possible to do this with portsentry but seeing as portsentry runs behind
shorewall it doesnt pick up the scans. 

Is this possible ??

Thanks 
Any help is much appreciated 
Wayne 
www.wanbound.com

Beside the fact it possible or not, it''s a really bad idea for
at least two reasons.

1- Imagine this scenario :
I''m scanning with my favourite tools and notice
that you blocked my ip automatically.
I''m a really bad guy and used thousands of spoofed
ip of legitimate host and scan you with these ip. No matter
what are the results, I''ve done my job you can''t talk to these
ip in the future... One day you''ll come back from work and
notice that you have not access to internet anymore.
In fact the simpliest way to DoS you, using this behaviour is :
1- Spoof your provider DNS (you can''t resolve anymore)
2- Spoof your first gateway... Booh bad ...

2- I have hundreds of false alarm of people scanning my systems,
especially DNS servers (bad implementation of the UDP protocol...),
I shouldn''t block these ip...

Finally I''ve seen that portsentry can be bound to a low level (RAW)
instead of TCP/IP level. I thought you can use portsentry with
Iptables (In fact I was using it this way but stopped, due to the behaviours
I''ve explained here).

I rather prefer to drop packets, have an IDS to see if I should really care
of someone. If it''s the real time of portsentry you like, you can look
for
snort/flexresp (as bad as portsentry problem with blocking ip but based
on real attacks) or SnortCon which can alert you in real time of something
wrong.

Jerome
----- Original Message -----
From: "Wayne Wilson" <wayne@wanbound.com>
To: <shorewall-users@shorewall.net>
Sent: Monday, October 21, 2002 12:46 PM
Subject: [Shorewall-users] Shorewall Howto

> Hi there all,
>
> Shorewall is a great product but I have one question which I am not to
> sure if it is possible and if it is a limitation of shorewall or
> IPTables.
>
> If somebody does a portscan on my firewall I would like to add a script
> that will deny them from all future access to my ip address. It is
> possible to do this with portsentry but seeing as portsentry runs behind
> shorewall it doesnt pick up the scans.
>
> Is this possible ??
>
> Thanks
> Any help is much appreciated
> Wayne
> www.wanbound.com
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>