Two questions/proposals for the netfilter core developers
s I n
Thu, 25 Oct 2001 22:05:18 +0300 (EEST)
> > I have two questions for the netfilter core developers and for the others
> > that know how netfilter works:
> > 1) Is someone working (or has the intention) to make match target that can
> > act like a dynamic firewall, that can be used like this:
> > ~# iptables -A INPUT -p TCP -m string --string "hello" -j DYNAMIC --action
> > DROP
> > and the effect to such a command to be the insertion of a new rule that
> > will drop all the traffic comming from the host that sent the string
> > "hello" to the host receiving it ?
> No. netfilter, and kernel-space in general, is NOT the place to be
> doing this. If you are looking for CodeRed/Nimda/CGI stuff, get a web proxy
> like Squid, which IIRC comes with support for the SO_ORIGINAL_DST setsockopt.
The string match option was just an example. The ideea was to match
something (like a portscan) and than dinamically drop new connections
from the host that made the portscan, and so avoid another portscans or
an attack from that host. This kind of new target would be usefull if you
have a machine and don't have time to check the logs for clues about
portscans and then to find the ip from where the portscan came and then to
add a rule to the iptables that drops connections from that ip.
I hope now I made my self understood.
> > 2) Is someone working (or has the intention) to make a module for
> > netfilter that cand do per host/service accounting without influencing the
> > behaviour of a firewall ?
> AFAIK, no. I played around with a simple packet/byte counter which exported
> info via /proc a while back, but lost the source during a hard drive upgrade :(
> > Regards,
> > Patrascu Eugeniu
> Brad Chapman
> Permanent e-mail: firstname.lastname@example.org
> Current e-mail: email@example.com
> Alternate e-mail: firstname.lastname@example.org
> Do You Yahoo!?
> Make a great connection at Yahoo! Personals.