Feature #8763

symbiosis-firewall: log why ip was blackisted

Added by Paul Rose over 4 years ago. Updated about 4 years ago.

Status:NewStart date:2015-01-22
Priority:NormalDue date:
Assignee:Patrick Cherry% Done:

0%

Category:-
Target version:stretch

Description

Currently into syslog, symbiosis-firewall enters:

Jan 22 07:50:01 symwheezy symbiosis-firewall-blacklist: adding xxx.xxx.xxx.xxx to blacklist for all ports

It would be nice to know why or which filter that IP address was blacklisted, as it stop the need to search through other logs to find out.

History

#1 Updated by Paul Rose over 4 years ago

  • Tracker changed from Bug to Feature

#2 Updated by Patrick Cherry over 4 years ago

  • Target version set to jessie

#3 Updated by Patrick Cherry about 4 years ago

  • Assignee set to Patrick Cherry

#4 Updated by Patrick Cherry about 4 years ago

  • Target version changed from jessie to stretch

At the moment this is not possible without a major refactoring of the firewall code.

Symbiosis::Firewall::Blacklist#do_read aggregates hits by IP and port, rather than which pattern file triggered the match. This is then entered in to the database and used as part of the blacklisting.

The number of "matches" against a port is used as the metric to determine if an IP should be blocked or not, rather than against a specific pattern.

I'm going to kick this into stretch, as the amount of work required it quite high, in my opinion.

Also available in: Atom PDF