Menu
▾
▴
Re: [Fail2ban-users] IPv6 support
|
From: ROGERIO DE C. B. <rog...@dc...> - 2011-03-25 15:03:20
|
Hi, A try to implement using that approach (patch in annex), but some problems arose: - Each filter must exist twice, this can generate a performace problem and is ugly - It's impossible track hostnames, because filter are separated - If a atacker can use IPv4 and IPv6 and fail2ban block by hostname only atacker's IPv4 or IPv6 will be blocked So, I think should be better if fail2ban track IPv4 and IPv6 internally (maybe through any lib) and decides what action to do. Probably, we'll need two differents actions, for IPv4 and for IPv6, and store the IP version. I'm studying about python libs: IPy and netaddr. Suggestions are welcome. Quoting ROGERIO DE CARVALHO BASTOS <rog...@dc...>: > I think that should have differents actions for IPv4 and IPv6, at > least in beginning, to mantain compatibility and avoid break old > configuration. > Besides, I don't know how other packet filters (like ipfw) track > IPv4 and IPv6. > > Quoting Arturo 'Buanzo' Busleiman <bu...@bu...>: > >> In general, we might just need actions that can discern between an >> ipv4 and ipv6 addresses and run iptables or ip6tables accordingly. And >> make <HOST> detect both types of addresses. -- Rogerio de Carvalho Bastos http://wiki.dcc.ufba.br/Main/RogerioBastos |