Hi,

I'm trying to figure out how iptables works, and as you'll see I don't know much yet. I'm using fedora core2, and have installed shorewall and psad (Port Scan Attack Detector). I've set psad to block offending ip address. Where do these address get written into the firewall rules? The offending ip addresses and relevant data are logged under /var/log/psad, but I can't find any other file or ruleset file with these various addresses. How does the firewall know to block these addresses?

Thanks to anyone who can point me in the right direction.

Wil Snyder

I've set psad to block offending ip address. Where do these address get written into the firewall rules?
Search the configfile for the line "List of ips that have been auto blocked by iptables". My guess is that there'll be a file containing IP's only, PSAD will build the ruleset from that. If it's just a tiny bit cool it'll add them in a different chain than IN, so you could monitor them with "iptables -n -L <chainname>" or somthing like that. Dunno, I don't use PSAD tho, so I may be totally wrong.