* Martin MAURER ([EMAIL PROTECTED]) wrote: > thanks for your suggestion. > I think for my purpose this module is not the optimal way of doing it, > since I probably want to match against other conditions too. > (for example allow somebody to access my local ssh service for the next > 2 hours - so the seconds parameter wouldn't work) > > but I will keep an eye on this one :)
Someone is actually looking into doing something very similar. Seconds
doesn't have to be some small value, it could be 2 hours if you wanted.
The bigger question comes from how you implement it, really. You can
either have the ipt_recent match before or after an ESTABLISHED,RELATED
accept. If it's before then existing connections will be dropped
mid-stream on the deadline point (unless you use --update). If it's
after then existing connections won't have a timelimit on them. Though
now that I think about it I guess you could do both with different
timeframes since you can use multiple ipt_recent tables with the latest
versions.
The only other problem is the size of the table has to be large enough
that valid connections don't get pushed out for being too old due to
lots of new connections, but that's an option to the module which you
can set..
Stephen
msg00164/pgp00000.pgp
Description: PGP signature
