Two questions/proposals for the netfilter core developers

Brad Chapman kakadu_croc@yahoo.com
Thu, 25 Oct 2001 12:14:54 -0700 (PDT)


Mr. Eugeniu,

--- s I n <sin@Aniela.EU.ORG> wrote:
> > > I have two questions for the netfilter core developers and for the others
> > > that know how netfilter works:
> > >
> > > 1) Is someone working (or has the intention) to make match target that can
> > > act like a dynamic firewall, that can be used like this:
> > >
> > > ~# iptables -A INPUT -p TCP -m string --string "hello" -j DYNAMIC --action
> > >    DROP
> > >
> > > and the effect to such a command to be the insertion of a new rule that
> > > will drop all the traffic comming from the host that sent the string
> > > "hello" to the host receiving it ?
> >
> > 	No. netfilter, and kernel-space in general, is NOT the place to be
> > doing this. If you are looking for CodeRed/Nimda/CGI stuff, get a web proxy
> > like Squid, which IIRC comes with support for the SO_ORIGINAL_DST setsockopt.
> 
> 
> The string match option was just an example. The ideea was to match
> something (like a portscan) and than dinamically drop new connections
> from the host that made the portscan, and so avoid another portscans or
> an attack from that host. This kind of new target would be usefull if you
> have a machine and don't have time to check the logs for clues about
> portscans and then to find the ip from where the portscan came and then to
> add a rule to the iptables that drops connections from that ip.

	Oh. IIRC, hogwash does that.

	Unfortunately the URL is missing from my brain right now, so you'll
have to do a search (Google).

> 
> I hope now I made my self understood.
> 
> 
> Regards,
> 
> 	Patrascu Eugeniu.
> 

Brad


=====
Brad Chapman

Permanent e-mail: kakadu_croc@yahoo.com
Current e-mail: kakadu@adelphia.net
Alternate e-mail: kakadu@netscape.net

__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com