On Thu, 2002-03-07 at 14:38, Stephen Frost wrote: > * Martin MAURER ([EMAIL PROTECTED]) wrote: > > I am currently developing an iptables/ip_queue based interactive > > firewall tool like those available on M$-Windows (tiny-firewall, ...) > > Recently I discussed a little bit with a friend about a feature which > > would be very nice to have in such a tool: timeouting rules. I think of > > the following situation: Somebody is portscanning my machine. For > > security reasons I want to block his access, but of course not forever. > > So it would be nice if I could do something like: > > iptables -A INPUT -s his.ip.address -timeout a_unix_timestamp -j DROP > > so that this firewall rule is deleted automatically at the given time. > > Of course it would also be possible, to implement this faeture as a part > > of my tool, but I thought maybe it would be an useful extension to > > netfilter itself. > > I personally do not know a lot about netfilter internals, and so I can't > > say if this would be easy/possible to implement. > > iptables can do what you're asking through the ipt_recent module > available in patch-o-matic. It's not perfect and I'm still working out > some kinks but in general it works for me. I'm rewriting the IP lookup > to use a hash-based algorithm instead of a linear search due to some > interest in having the 'recent' table be larger. I'll submit a new > patch once that's done. Unfortunately I don't know of a way to do a > generic timeout on a rule yet, though I think it might be possible to > add that ability as a module but it wouldn't be dynamically updating > like ipt_recent can do. thanks for your suggestion. I think for my purpose this module is not the optimal way of doing it, since I probably want to match against other conditions too. (for example allow somebody to access my local ssh service for the next 2 hours - so the seconds parameter wouldn't work)
but I will keep an eye on this one :) > > Stephen
signature.asc
Description: This is a digitally signed message part
