[RFC] An idea on conntrack expiration (was: Re: unused established connections)

Brad Chapman kakadu_croc@yahoo.com
Mon, 28 Jan 2002 12:01:43 -0800 (PST) 

Mr. Frost,

--- Stephen Frost <sfrost@snowman.net> wrote:
> * Graham Houston (houston@iontech.co.uk) wrote:
> > Some people in my building leave open SSH terms to the servers and go home? this
> is a security problem and many times they've been
> > told not to do this but connection dropping could be the answer and of course it
> free's some resources from the kernel?
> > is this possible!
> 
> 	If this is a concern then educate your users.  It might be a
> 	nice thing to have in iptables as well, I don't deny that, but
> 	in this case it's not likely to help you much.  ssh allows users
> 	to set a 'Protocol Keep Alive' which will make it look like the
> 	ssh is still alive even if no one is there at the SSH level.  No
> 	firewall software would be able to deterministically tell the
> 	difference.

	Maybe not. Fabrice Marie's time match might work if you wanted to prevent
your users from using SSH at certain times, but AFAIK there isn't any way to set
an expire time for connections in conntrack (yet).

	Here's an idea: we create a target (EXPIRE), which sets a field in nfct (?)
for an expiration time in whatever unit suits the purposes of users. We save the
current time (get_fast_time() (?)) and the expiration time. Somewhere in the
conntrack core (ip_conntrack_in(), perhaps), we add the two values and see if it
is smaller than the current time. If so, we DROP.

	The only problem with this is:

	1. The blessing of the Connection Tracking Gods (Jozsef and Harald)
	2. The lack of hook entries before conntrack
	3. Would anybody use this?
	
	This would also provide the ability to clear up a long-standing difficulty
about conntrack table choking that I've read about on the netfilter lists (mostly
a while ago).

	Is anyone interested? If so, I'll send this on to Jozsef and Harald.

> 
> 		Stephen
> 

Brad



=====
Brad Chapman

Permanent e-mail: kakadu_croc@yahoo.com
Current e-mail: kakadu@adelphia.net
Alternate e-mail: kakadu@netscape.net

__________________________________________________
Do You Yahoo!?
Great stuff seeking new owners in Yahoo! Auctions! 
http://auctions.yahoo.com