Two questions/proposals for the netfilter core developers

s I n sin@Aniela.EU.ORG
Thu, 25 Oct 2001 22:36:37 +0300 (EEST)


> > The string match option was just an example. The ideea was to match
> > something (like a portscan) and than dinamically drop new connections
> > from the host that made the portscan, and so avoid another portscans or
> > an attack from that host. This kind of new target would be usefull if y=
ou
> > have a machine and don't have time to check the logs for clues about
> > portscans and then to find the ip from where the portscan came and then=
 to
> > add a rule to the iptables that drops connections from that ip.
>
> Which is a completely different matter than your original question.
>

As I said before, that was just an example that got misunderstood.


> What will not happen in Netfilter is the ability top send responses to
> the caller when dropping a connection as doing so requires a TCP to be
> running. For such operations use userspace.
>
> What you describe above is available today by using for example the pool
> match/target from p-o-m.
>

I will try to use that match target and see what I can achive.

> Regards
> Henrik Nordstr=F6m
> MARA Systems AB
>

Regards,

=09=09Patrascu Eugeniu