Two questions/proposals for the netfilter core developers

Henrik Nordstrom hno@marasystems.com
Thu, 25 Oct 2001 21:20:38 +0200


s I n wrote:

> The string match option was just an example. The ideea was to match
> something (like a portscan) and than dinamically drop new connections
> from the host that made the portscan, and so avoid another portscans or
> an attack from that host. This kind of new target would be usefull if you
> have a machine and don't have time to check the logs for clues about
> portscans and then to find the ip from where the portscan came and then to
> add a rule to the iptables that drops connections from that ip.

Which is a completely different matter than your original question.

What will not happen in Netfilter is the ability top send responses to
the caller when dropping a connection as doing so requires a TCP to be
running. For such operations use userspace.

What you describe above is available today by using for example the pool
match/target from p-o-m.

Regards
Henrik Nordström
MARA Systems AB