Two questions/proposals for the netfilter core developers
Brad Chapman
kakadu_croc@yahoo.com
Thu, 25 Oct 2001 11:53:04 -0700 (PDT)
Mr. Eugeniu,
--- s I n <sin@Aniela.EU.ORG> wrote:
> Hi,
>
>
> I have two questions for the netfilter core developers and for the others
> that know how netfilter works:
>
> 1) Is someone working (or has the intention) to make match target that can
> act like a dynamic firewall, that can be used like this:
>
> ~# iptables -A INPUT -p TCP -m string --string "hello" -j DYNAMIC --action
> DROP
>
> and the effect to such a command to be the insertion of a new rule that
> will drop all the traffic comming from the host that sent the string
> "hello" to the host receiving it ?
No. netfilter, and kernel-space in general, is NOT the place to be
doing this. If you are looking for CodeRed/Nimda/CGI stuff, get a web proxy
like Squid, which IIRC comes with support for the SO_ORIGINAL_DST setsockopt.
>
>
> 2) Is someone working (or has the intention) to make a module for
> netfilter that cand do per host/service accounting without influencing the
> behaviour of a firewall ?
AFAIK, no. I played around with a simple packet/byte counter which exported
info via /proc a while back, but lost the source during a hard drive upgrade :(
>
>
>
> Regards,
>
> Patrascu Eugeniu
Brad
=====
Brad Chapman
Permanent e-mail: kakadu_croc@yahoo.com
Current e-mail: kakadu@adelphia.net
Alternate e-mail: kakadu@netscape.net
__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com