On Wed, 29 May 2002, Maciej Soltysiak wrote: > I was hoping for some kind of discussion on it. > Also i like it seperated from unclean, because unclean does not allow you > to: > -m unclen --unclean-option-x
Yes, the "monoliticy" of unclean is a little bit disturbing. I'd be much more better if one could fine tune which check should be applied. However there are so many sanity checkings in unclean that it's not so easy to design an intuitive and handy interface. > and if i just: > iptables -A INPUT -m unclean -j DROP > > i will drop everything that unclean matches. Personally i like this kind > of configuration. > > 1. match ip unused and log or drop > 2. match some scans using --tcp-flags and reject with tcp-reset > 3. match tcp scans using psd and reject with tcp-reset > 4. match udp scans using psd and reject with icmp > 5. match using unclean for anything else: bad chksum, bad frag offset, > etc If you simply drop at 5. then it could be replaced with the new unclean match used at 1. Regards, Jozsef - E-mail : [EMAIL PROTECTED], [EMAIL PROTECTED] WWW-Home: http://www.kfki.hu/~kadlec Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
