Hi
I know this has been covered many times before but,
cannot find a good point of reference.
Anyway this is a Raq4 (fully patched inc
SHP).
ipchains (via pmfirewall) defaults to DENY all then
ALLOW the services I am running.
Portsentry (-stcp, -sudp) is set to a Trigger of 1
(paranoid)
But because ipchains is denying packets the
monitored ports do not trigger Portsentry, causing the Raq to go into overdrive
when a full port sweep is happening. (I like to see what ipchains is upto so it
is logging)
What I want is a default DENY policy but Portsentry
to see the port scans and then drop the connections from that IP via
ipchains.
What is the best way to acheive this ?
The only way I can think is re-open all the
Portsentry monitored ports via ipchains, but this seems a bit daft.
Any thoughts ?
Thanks
Peter
|