Hi there --
Thanks for your reply. I do have psad and fwsnort running, but I am still forced periodically to manually add IP addresses to the iptables file. Consequently, something in my configuration, be it with psad, fwsnort, or iptables, is not quite right.
If I place the state rule after the DROP rules, the current configuration would have my periodically 'moving' the state rule down each time I need to manually add a DROP rule. My INPUT chain is admittedly haphazard,  being based on reacting to
perceived attacks. Posting it would be embarrising to say the least. If it is necessary, I can do so.  
-----Original Message-----
From: fer@mts.net [mailto:fer@mts.net]
Sent: Friday, January 18, 2008 7:02 PM
To: Kaplan, Andrew H.; psad-discuss@lists.sourceforge.net
Subject: RE: [psad-discuss] Meaning of error message when starting fwknop

Sorry to the group for overtyping, I hate Outlook.  Glad to hear things are going better Andrew.  As for the placement of the state rule, it depends what is making your “blacklist” rule.  If it’s psad or fwsnort, then they will typically place their blacklisting rules/chains at the start of the default chains, so your rule will usually occur after them as you would expect.


It’s your firewall, so you have complete control.  If your state rule is higher than any blacklisting chains or rules, then delete and re-add it.  As for it coming before “drop” lines, it all depends on what those lines are.  A typical INPUT chain with a default DROP policy means that the rules you’re adding are to specifically allow traffic, in which case order shouldn’t matter too much. In other words, the policy should read something like:

DROP blacklist, ALLOW established, ALLOW certain TCP/UDP ports, LOG anything reaching this point, and finally let the default policy (DROP) of the chain take over.


You could always post your current INPUT chain for a sanity check by doing: iptables –L INPUT –n –v




From: Kaplan, Andrew H. [mailto:AHKAPLAN@PARTNERS.ORG]
Sent: January 18, 2008 5:27 PM
To: fer@mts.net; psad-discuss@lists.sourceforge.net
Subject: RE: [psad-discuss] Meaning of error message when starting fwknop


Hi there –


The error condition that you suggested did appear to be the case. I inserted the following lines just above the list of DROP ip addresses:


# The following line has been inserted to allow fwknop to work properly.



I restarted iptables and fwknop, and everything appears to be operating normally. The output of the iptables status command for the line

in question is shown below:


2    ACCEPT     all  --             state RELATED,ESTABLISHED



There is one question, shouldn’t the above line come after the DROP lines? My reasoning is that shouldn’t iptables check to see what

address is attempting to connect first, and then if it is none of the ‘blacklisted’ ip addresses, then accept the connection? Thanks.

The information transmitted in this electronic communication is intended only
for the person or entity to whom it is addressed and may contain confidential
and/or privileged material. Any review, retransmission, dissemination or other
use of or taking of any action in reliance upon this information by persons or
entities other than the intended recipient is prohibited. If you received this
information in error, please contact the Compliance HelpLine at 800-856-1983 and
properly dispose of this information.