Alessandro Vesely writes:
Sam Varshavchik wrote:Unfortunately, that cannot be done with netfilter queue: one invokes the userspace program with "iptables -A <cond> -j NFQUEUE". (<cond> is where one can decide about packet direction, SYN flag, and the like.) The userspace utility will only be able to say ACCEPT or DROP. Mine, ipqbdb, just looks up a bdb file to decide the verdict.Iptables also has a "recent" module, that can be specified in the <cond> in order to match a dynamic list of IPs. That allows to specify "-j REJECT" as the action. However, the dynamic list consists of plain files; they can be read and written from userspace programs by accessing /proc/net/ipt_recent/<name>, but it is not clear how synchronization with the kernel can be achieved.Any other ideas for blocking existing connections?I don't follow. If you insert a rule to REJECT outbound packets to a given IP address,Since the IP address is dynamic, AFAIK the rule has to use "-m recent" in its <cond> part. I dislike updating ipt_recent's virtual files from userspace because of the above mentioned synchronization problem. Possibly, it's just me being overly ignorant about iptables inner workings...
No, you don't need to bother keeping lists. For example, when portsentry blocks a portscanner:
/sbin/iptables -I INPUT -s 61.128.162.90 -j DROP In your case, you'd use: /sbin/iptables -I OUTPUT -d aaa.bbb.ccc.ddd -j REJECT Then, after the timeout expires /sbin/iptables -D OUTPUT -d aaa.bbb.ccc.ddd -j REJECT
pgpmpb2xDvbbt.pgp
Description: PGP signature
------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
