symbiosis-firewall: log why ip was blackisted
|Assignee:||Patrick Cherry||% Done:|
Currently into syslog, symbiosis-firewall enters:
Jan 22 07:50:01 symwheezy symbiosis-firewall-blacklist: adding xxx.xxx.xxx.xxx to blacklist for all ports
It would be nice to know why or which filter that IP address was blacklisted, as it stop the need to search through other logs to find out.
#4 Updated by Patrick Cherry about 4 years ago
- Target version changed from jessie to stretch
At the moment this is not possible without a major refactoring of the firewall code.
Symbiosis::Firewall::Blacklist#do_read aggregates hits by IP and port, rather than which pattern file triggered the match. This is then entered in to the database and used as part of the blacklisting.
The number of "matches" against a port is used as the metric to determine if an IP should be blocked or not, rather than against a specific pattern.
I'm going to kick this into stretch, as the amount of work required it quite high, in my opinion.