Page 1 of 1
"port flood" treated as "port scan" resulting in blocks
Posted: 25 Jan 2013, 00:03
by Domineaux
I have found that it a users IP gets throttled by the PORTFLOOD limit, it is logged as *Port Flood* but LFD seeing 11 of them (one more than the defined PS_LIMIT of 10) will result in LFD adding a temporary deny against the IP for "*Port Scan* detected".
Re: "port flood" treated as "port scan" resulting in blocks
Posted: 25 Jan 2013, 09:09
by ForumAdmin
That is the intended functionality. If you do not want to block particular ports remove them from the PS_PORTS list.
Re: "port flood" treated as "port scan" resulting in blocks
Posted: 25 Jan 2013, 13:50
by Domineaux
Thank you for the work around but are you sure that this is really the intended functionality instead of a byproduct of the way the logs are searched? Seems like the "Port Flood" log entries were a good idea so we could tell if someone was getting throttled but the "Port Scan" function is just checking for any blocked packet logs and indiscriminately judged them as a port scan for a temporary deny.