Two questions/proposals for the netfilter core developers
Thu, 25 Oct 2001 11:53:04 -0700 (PDT)
--- s I n <sin@Aniela.EU.ORG> wrote:
> I have two questions for the netfilter core developers and for the others
> that know how netfilter works:
> 1) Is someone working (or has the intention) to make match target that can
> act like a dynamic firewall, that can be used like this:
> ~# iptables -A INPUT -p TCP -m string --string "hello" -j DYNAMIC --action
> and the effect to such a command to be the insertion of a new rule that
> will drop all the traffic comming from the host that sent the string
> "hello" to the host receiving it ?
No. netfilter, and kernel-space in general, is NOT the place to be
doing this. If you are looking for CodeRed/Nimda/CGI stuff, get a web proxy
like Squid, which IIRC comes with support for the SO_ORIGINAL_DST setsockopt.
> 2) Is someone working (or has the intention) to make a module for
> netfilter that cand do per host/service accounting without influencing the
> behaviour of a firewall ?
AFAIK, no. I played around with a simple packet/byte counter which exported
info via /proc a while back, but lost the source during a hard drive upgrade :(
> Patrascu Eugeniu
Permanent e-mail: firstname.lastname@example.org
Current e-mail: email@example.com
Alternate e-mail: firstname.lastname@example.org
Do You Yahoo!?
Make a great connection at Yahoo! Personals.