On Thu, 2002-03-07 at 18:54, Stephen Frost wrote: > * Martin MAURER ([EMAIL PROTECTED]) wrote: > > thanks for your suggestion. > > I think for my purpose this module is not the optimal way of doing it, > > since I probably want to match against other conditions too. > > (for example allow somebody to access my local ssh service for the next > > 2 hours - so the seconds parameter wouldn't work) > > > > but I will keep an eye on this one :) > > Someone is actually looking into doing something very similar. Seconds do you mean somebody is making an interactive firewall using netfilter, or somebody is wanting to insert timeouting rules ? *curious*
> doesn't have to be some small value, it could be 2 hours if you wanted. > The bigger question comes from how you implement it, really. You can > either have the ipt_recent match before or after an ESTABLISHED,RELATED > accept. If it's before then existing connections will be dropped > mid-stream on the deadline point (unless you use --update). If it's > after then existing connections won't have a timelimit on them. Though > now that I think about it I guess you could do both with different > timeframes since you can use multiple ipt_recent tables with the latest > versions. I have looked a bit at this module now. My main problem is, that I would want all corresponding rules to vanish from the firewall rules, so that you havent got to clean up later. Am I right, that this could not be achieved by this module (as I understand it, only the ips of the people matching this rules get deleted, and the rules themselves stay) If this is true, I will do the deleting of the inserted rules from my tool itself, but the disadvantage would be that after shutting down this tool, the rules wont be deleted (or have to be deleted immediatly). > > The only other problem is the size of the table has to be large enough > that valid connections don't get pushed out for being too old due to > lots of new connections, but that's an option to the module which you > can set.. > > Stephen
signature.asc
Description: This is a digitally signed message part
