Shorewall users - Apr 2005 - portsentry+shorewall

Hello,

i use shorewall for a very long time (2 years or so) and i use it for nat and 
as firewall....i now use portsentrys to detect portscans but there is one 
problem...i use the HOWTO from the shorewall mailing list to make portsentry 
and shorewall work together....but there is one prob portscans get detected 
and a drop rule is added to shorewall for example 

shorewall drop 62.178.xxx.xx


the shorewall entry


    6   252 DROP       all  --  *      *       62.178.xxx.xx        0.0.0.0/0

now this ip cannt connect to me anny more but i have a pc which has a ssh 
account and if i portscan me from this ip, this ip gets blocked but i can 
still login with ssh at this machine, but the machine cant connect to me any 
more... what do i have to do to make connection from me to him also 
unacceptable?

greets
puchu

Rauch Wolke wrote:
>
> 
> 
>     6   252 DROP       all  --  *      *       62.178.xxx.xx       
0.0.0.0/0
> 
> now this ip cannt connect to me anny more but i have a pc which has a ssh 
> account and if i portscan me from this ip, this ip gets blocked but i can 
> still login with ssh at this machine, but the machine cant connect to me
any
> more... what do i have to do to make connection from me to him also 
> unacceptable?
I can think of no easy way to do that. The script from the HOWTO you
followed is using blacklisting ("shorewall drop") to stop traffic from
the offending host(s) and Shorewall blacklisting only works on the
source IP address.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Thu, 28 Apr 2005, Tom Eastep wrote:

- Rauch Wolke wrote:
- >
- > 
- > 
- >     6   252 DROP       all  --  *      *       62.178.xxx.xx       
0.0.0.0/0
- > 
- > now this ip cannt connect to me anny more but i have a pc which has a ssh
- > account and if i portscan me from this ip, this ip gets blocked but i can
- > still login with ssh at this machine, but the machine cant connect to me
any
- > more... what do i have to do to make connection from me to him also 
- > unacceptable?
- 
- I can think of no easy way to do that. The script from the HOWTO you
- followed is using blacklisting ("shorewall drop") to stop traffic
from
- the offending host(s) and Shorewall blacklisting only works on the
- source IP address.

Is it possible to use NAT to change the offending address to an
rfc1918 address?  How about setting a route for the address that
points somewhe the packets would get dropped?

--
Stephen