Two questions/proposals for the netfilter core developers

s I n sin@Aniela.EU.ORG
Fri, 26 Oct 2001 09:53:52 +0300 (EEST) 

> --- s I n <sin@Aniela.EU.ORG> wrote:
> > Hi,
> >
> >
> > I have two questions for the netfilter core developers and for the others
> > that know how netfilter works:
> >
> > 1) Is someone working (or has the intention) to make match target that can
> > act like a dynamic firewall, that can be used like this:
> >
> > ~# iptables -A INPUT -p TCP -m string --string "hello" -j DYNAMIC --action
> >    DROP
> >
> > and the effect to such a command to be the insertion of a new rule that
> > will drop all the traffic comming from the host that sent the string
> > "hello" to the host receiving it ?
> >
>
> actually yes, i'm working on such a thing... basically using the idea from
> ULOG, matching packets & sending them to a central database server... every
> evening all the clients download these new updates and block possibly
> dangerous hosts. say for instance a host makes requests on an unused ip
> (we use these to detect things like nimba), if more than 2 ip's out of our
> multiple class C's gets hit an entry is made into the database for 7 day
> "ban", if more than 5 hosts get hit, the server tries to get the admin
> contact of the ip owner & sends off an email with detailed logs.

This sounds like a cool thingy. I asked the first question because I have
a machine that stays unsupervised 5 days a week and I want to make sure
that it drops any further portscan attetmps before I can check the rules
listed by iptables to see who tried to attck my machine. The ideea behind
my initial question is that if I can manually block portscans from hosts,
why can't these attack attempts be automaticaly blocked ?

>
> >
> > 2) Is someone working (or has the intention) to make a module for
> > netfilter that cand do per host/service accounting without influencing the
> > behaviour of a firewall ?
> >
>
> i've written an iptables parser, which i'm currently (as i write this),
> rewriting... it takes match rules out a config file and builds simple
> tables which are then parsed by a perl script & inserted into a postgres
> database. from there, a cgi script is used which pulls values out of
> the database creating either reports or graphs, this is attatched to the
>   ESTABLISHED,RELATED   match, so it doesn't affect the actual firewall
> as we accept packets there anyway.
>

I would be interested in your sofware package. cand you send me a copy of
your scripts to see if they satisfy my needs ?


> >
>
> the first software package i described above is still in testing & no
> public release is available as yet. the second of which is basically
> the same story, but if u like i could send u a copy of the scripts
> and u could try figure them out.
>
> >
> > Regards,
> >
> > 	Patrascu Eugeniu
>
>
>
> ================================================================================
>
> Contact Details
> ---------------
> Name: Nigel Kukard
> GSM Mobile: (+27) 082 564 2120
> GSM Fax: (+27) 082 131 564 2120
> Email: nkukard@linuxrulz.za.net
>
> Organizations
> -------------
>  - LinuxRulz
>      Url: http://www.linuxrulz.za.net
>      Position: Owner
>  - Linux Based Systems Design
>      Url: http://www.lbsd.net
>      Position: Systems Designer, Programmer
>  - Lando Technologies
>      Url: http://www.lando.co.za
>      Position: Linux Systems/Network Administrator
>
>
>