new match extension to implement port knocking in one
J. Federico Hernandez
fede.hernandez at gmail.com
Wed Oct 18 02:32:12 CEST 2006
On 10/17/06, Eric Leblond <eric at inl.fr> wrote:
> Le mardi 17 octobre 2006 à 09:19 -0300, J. Federico Hernandez a écrit :
> > On 10/16/06, Pablo Neira Ayuso <pablo at netfilter.org> wrote:
> > > J. Federico Hernandez wrote:
> > > >> On Oct 14, 2006, Michael Rash wrote:
> > > >>
> > > >> Well, I agree that having an implementation that builds some port
> > > >> knocking capabilities directly into iptables is a good thing for the
> > >
> > > Perhaps I'm just influenced by my first impression but I think that this
> > > thing should be in userspace. We are providing the appropiate netfilter
> > > netlink subsystems (nfqueue, nflog...) to implement this as a userland
> > > daemon.
> > >
> >
> > When all you want is to open a port after a correct sequence of
> > knocks, instead of sending from the kernel all the knocks to the
> > userspace, and then setting a new iptables rule so the kernel firewall
> > takes an action, it would be better to leave the whole work to the
> > kernel and avoid the transition kernel->userspace->kernel.
>
> kernel->userspace->kernel is really not a problem for nowadays computer.
> Simply think about snort-inline which is able to handle a great amount
> of traffic.
the fact that nowadays computers have much more power, doesn't mean
that you can forget about a simple, less complex and correct design.
By the way, Linux runs in a wide spectrum of devices, like mobile
devices, where you musn't waste resources. (see linksys ap wireless,
smart phones, etc)
regards,
--
Federico
More information about the netfilter-devel
mailing list