Faeture suggestion: timeouting rules
Martin MAURER
martinmaurer@gmx.at
07 Mar 2002 18:49:44 +0100
--=-0fgHI0FtXcB80Amvvmhy
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Thu, 2002-03-07 at 14:38, Stephen Frost wrote:
> * Martin MAURER (martinmaurer@gmx.at) wrote:
> > I am currently developing an iptables/ip_queue based interactive
> > firewall tool like those available on M$-Windows (tiny-firewall, ...)
> > Recently I discussed a little bit with a friend about a feature which
> > would be very nice to have in such a tool: timeouting rules. I think of
> > the following situation: Somebody is portscanning my machine. For
> > security reasons I want to block his access, but of course not forever.
> > So it would be nice if I could do something like:
> > iptables -A INPUT -s his.ip.address -timeout a_unix_timestamp -j DROP
> > so that this firewall rule is deleted automatically at the given time.
> > Of course it would also be possible, to implement this faeture as a par=
t
> > of my tool, but I thought maybe it would be an useful extension to
> > netfilter itself.=20
> > I personally do not know a lot about netfilter internals, and so I can'=
t
> > say if this would be easy/possible to implement.
>=20
> iptables can do what you're asking through the ipt_recent module
> available in patch-o-matic. It's not perfect and I'm still working out
> some kinks but in general it works for me. I'm rewriting the IP lookup
> to use a hash-based algorithm instead of a linear search due to some
> interest in having the 'recent' table be larger. I'll submit a new
> patch once that's done. Unfortunately I don't know of a way to do a
> generic timeout on a rule yet, though I think it might be possible to
> add that ability as a module but it wouldn't be dynamically updating
> like ipt_recent can do.
thanks for your suggestion.
I think for my purpose this module is not the optimal way of doing it,
since I probably want to match against other conditions too.
(for example allow somebody to access my local ssh service for the next
2 hours - so the seconds parameter wouldn't work)
but I will keep an eye on this one :)
>=20
> Stephen
--=-0fgHI0FtXcB80Amvvmhy
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQA8h6g4XHsqb5Up6wURAk2bAKDigv+4vLvd/qNGJhGBjzkETlJZsACgimDn
8fWZKIgZ5bW/bgd8Jg3vByo=
=qqMo
-----END PGP MESSAGE-----
--=-0fgHI0FtXcB80Amvvmhy--