-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support deny_action: TARPIT #127
Comments
So we could have a slice of supported actions we check if value is in slice if not error on startup cs-firewall-bouncer/pkg/iptables/iptables.go Lines 55 to 60 in 9f27212
|
Will be released in next version |
Just in case anyone stumbles upon this in future... despite the fix in this ticket, TARPIT doesn't work. The bouncer tries to set up an iptables rule for all protocols with TARPIT as the target, which results in "x_tables: ip_tables: TARPIT target: only valid for protocol 6" (i.e. TCP). |
With xtables-addons installed, there is a
TARPIT
target available in iptables. However, settingdeny_action: TARPIT
in crowdsec-firewall-bouncer.yaml is ignored - it defaults to DENY.Please allow
TARPIT
as an accepted value fordeny_action
. Looks like iptables.go is the right place for this.I'd also suggest it's better to fail with an error if the config contains an unsupported value, rather than silently picking a default - this will likely prevent a lot of head scratching.
The text was updated successfully, but these errors were encountered: