Two questions/proposals for the netfilter core developers

Brad Chapman
Thu, 25 Oct 2001 12:14:54 -0700 (PDT)

Mr. Eugeniu,

--- s I n <sin@Aniela.EU.ORG> wrote:
> > > I have two questions for the netfilter core developers and for the others
> > > that know how netfilter works:
> > >
> > > 1) Is someone working (or has the intention) to make match target that can
> > > act like a dynamic firewall, that can be used like this:
> > >
> > > ~# iptables -A INPUT -p TCP -m string --string "hello" -j DYNAMIC --action
> > >    DROP
> > >
> > > and the effect to such a command to be the insertion of a new rule that
> > > will drop all the traffic comming from the host that sent the string
> > > "hello" to the host receiving it ?
> >
> > 	No. netfilter, and kernel-space in general, is NOT the place to be
> > doing this. If you are looking for CodeRed/Nimda/CGI stuff, get a web proxy
> > like Squid, which IIRC comes with support for the SO_ORIGINAL_DST setsockopt.
> The string match option was just an example. The ideea was to match
> something (like a portscan) and than dinamically drop new connections
> from the host that made the portscan, and so avoid another portscans or
> an attack from that host. This kind of new target would be usefull if you
> have a machine and don't have time to check the logs for clues about
> portscans and then to find the ip from where the portscan came and then to
> add a rule to the iptables that drops connections from that ip.

	Oh. IIRC, hogwash does that.

	Unfortunately the URL is missing from my brain right now, so you'll
have to do a search (Google).

> I hope now I made my self understood.
> Regards,
> 	Patrascu Eugeniu.


Brad Chapman

Permanent e-mail:
Current e-mail:
Alternate e-mail:

Do You Yahoo!?
Make a great connection at Yahoo! Personals.