On Thu, Mar 07, 2002 at 02:37:13PM +0100, Gozem wrote: Hi,
> > I am currently developing an iptables/ip_queue based interactive > > firewall tool like those available on M$-Windows (tiny-firewall, ...) > > Recently I discussed a little bit with a friend about a feature which > > would be very nice to have in such a tool: timeouting rules. I think of > > the following situation: Somebody is portscanning my machine. For > > security reasons I want to block his access, but of course not forever. > > So it would be nice if I could do something like: > > iptables -A INPUT -s his.ip.address -timeout a_unix_timestamp -j DROP > > so that this firewall rule is deleted automatically at the given time. > > Of course it would also be possible, to implement this faeture as a part > > of my tool, but I thought maybe it would be an useful extension to rv@comet:/tmp$ more sdf From: Hervé Eychenne <[EMAIL PROTECTED]> To: Gozem <[EMAIL PROTECTED]> Cc: Martin MAURER <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Bcc: Subject: Re: Faeture suggestion: timeouting rules Reply-To: In-Reply-To: <[EMAIL PROTECTED]> On Thu, Mar 07, 2002 at 02:37:13PM +0100, Gozem wrote: Hi, > > I am currently developing an iptables/ip_queue based interactive > > firewall tool like those available on M$-Windows (tiny-firewall,...) > > Recently I discussed a little bit with a friend about a feature which > > would be very nice to have in such a tool: timeouting rules. I think of > > the following situation: Somebody is portscanning my machine. For > > security reasons I want to block his access, but of course not forever. > > So it would be nice if I could do something like: > > iptables -A INPUT -s his.ip.address -timeout a_unix_timestamp -j DROP > > so that this firewall rule is deleted automatically at the given time. > > Of course it would also be possible, to implement this faeture as a part > > of my tool, but I thought maybe it would be an useful extension to > > netfilter itself. > > I personally do not know a lot about netfilter internals, and so I can't > > say if this would be easy/possible to implement. > That feature will be available in ippool coming soon. You can add IPs to a > pool with the pooltype that removes its IP after X seconds. I'm sorry, but I'm not sure that such a feature belongs to an existing match module (pool, recent, etc.). Wouldn't it be best to do a separate module for this, as several matches can be combined in a single rule? That would be much more generic, I think (if we consider this functionality belongs to kernel space, of course...) Example : iptables -A INPUT -s $IP -m timeout --timestamp $TIMESTAMP -j ACCEPT Please note that such a feature can currently be achieved in user-space with a simple at job. And it seems sufficient in most cases. RV -- _ (°= Hervé Eychenne //) v_/_ WallFire project: http://www.wallfire.org/
