Alessandro Vesely writes:
Unfortunately, that cannot be done with netfilter queue: one invokes the userspace program with "iptables -A <cond> -j NFQUEUE". (<cond> is where one can decide about packet direction, SYN flag, and the like.) The userspace utility will only be able to say ACCEPT or DROP. Mine, ipqbdb, just looks up a bdb file to decide the verdict.Iptables also has a "recent" module, that can be specified in the <cond> in order to match a dynamic list of IPs. That allows to specify "-j REJECT" as the action. However, the dynamic list consists of plain files; they can be read and written from userspace programs by accessing /proc/net/ipt_recent/<name>, but it is not clear how synchronization with the kernel can be achieved.Any other ideas for blocking existing connections?
I don't follow. If you insert a rule to REJECT outbound packets to a given IP address, if there's an existing connection, its next outbound packet will get rejected, and the socket layer should then drop the connection, passing back an ECONNRESET to the application. netfilter doesn't just look at initial SYNs, it can also reject packets from existing connections.
Using smtpaccess is clever. However, its access is implemented generically and I'm not sure one can deploy, say, bdb's concurrent data store model. Does that imply using makesmtpaccess (and restarting couriertcpd) every time?
There is no need to restart couriertcpd. Couriertcpd detects when the smtpaccess file has changed, and reloads it.
This does not need to be realtime. Updating the list hourly should be sufficient. Even with several thousand records, makestmpaccess shouldn't take long to rebuild.
The only potential pitfall to watch out for are zombies that keep trying repeatedly and immediately. You may end up with them flooding your bandwidth, since couriertcpd will accept and drop their connection immediately, afterwards they'll try again without delay. Lather, rinse, repeat.Yeah, in that case it would be better to use iptables. It is not a frequently seen behavior, though. What about using both smtpaccess an iptables, reserving the latter for higher error rates?
Whatever works. Nothing wrong with that.
pgpwC614x5le3.pgp
Description: PGP signature
------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
