recent-badguys also triggers for broadcast and multicast.

[ypid]

Hi

One should be careful when enabling ferm_mark_portscan as it also triggers for broadcast and multicast and thus might block legitimate hosts. This is probably only relevant for LAN environments.

I have solved that issue for my workstation with the "addrtype" module (custom Firewall script 😉 ):

-m addrtype --dst-type BROADCAST,MULTICAST

[drybjed]

Marking potential port scans in this way is not active by default in debops.ferm. Perhaps a separate list of whitelisted networks could be added here, so that the affected hosts can be easily added. I imagine that this would be a broad range of hosts.