2002-04-19 15:39:38+0200, Jozsef Kadlecsik <[EMAIL PROTECTED]> -> > On Wed, 17 Apr 2002, Joakim Axelsson wrote: > > > We would like to call this "border". Just the same as "filter INPUT", but > > the absoluty first thing that happens after the packet comes from the > > netcard-driver. Behaps a border OUTPUT doing the same thing just before > > entering the netcard driver. But it's not really needed more than in anti > > spoof and debuging of your own network. Meaning border INPUT is enough, > > really. > > This 'border' table is hooked at NF_IP_PRE_ROUTING? >
I havn't had a look on where in the code exactly. Just that we want it to be right after the netcard driver. Leting all IPv4 packets go through that table. > > Any solution with being able to mark packets for "NOTRACK" or anything is > > just too complicated in our need; handling DoS. Everything that do get pass > > "border" is conntracked (if conntrack is loaded). Plain and easy. However i > > can see that people would like the solution of letting packet get "flagged" > > notrack. > > One could do both in the proposed new table: drop the packet or flag it to > avoid entering conntrack (for example web traffic). > Sure, can be. But maybe a better name is "netdev" or somehting with tables RX and TX as Patrick suggested. Name doesn't matter to me really. Just where the hook is. It must be the very first thing after the driver lets it go to be able to stop attacks fast. > Regards, > Jozsef > - > E-mail : [EMAIL PROTECTED], [EMAIL PROTECTED] > WWW-Home: http://www.kfki.hu/~kadlec > Address : KFKI Research Institute for Particle and Nuclear Physics > H-1525 Budapest 114, POB. 49, Hungary > -- /Joakim Axelsson A.K.A Gozem@EFnet & OPN
