Time based rules ...

Time based rules ...

[Raymond Leach]

[-- Attachment #1: Type: text/plain, Size: 212 bytes --]

Hi

Is there a way to put time restrictions on rules?
For eaxmple, something like:

iptables -A FORWARD -i eth0 -p tcp -sport 1024: -dport 1024: -time
0700:1700 -j DROP

It would be nice ...

Ray
-- 

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

RE: Time based rules ...

[Rob Sterenborg]

> Is there a way to put time restrictions on rules?
> For eaxmple, something like:
>
> iptables -A FORWARD -i eth0 -p tcp -sport 1024: -dport 1024: -time
> 0700:1700 -j DROP

There is a time patch in pom (base).

From the website :
This option adds CONFIG_IP_NF_MATCH_TIME, which supplies a time match
module.
This match allows you to filter based on the packet arrival time
(arrival time at the machine which the netfilter is running on) or
departure time (for locally generated packets).


Rob

Re: Time based rules ...

[Chris Poupart]

[-- Attachment #1: Type: text/plain, Size: 342 bytes --]

Couldn't you just use a CRON job to add and remove that rule at the 
required times?

-- Chris

Raymond Leach wrote:
> Hi
> 
> Is there a way to put time restrictions on rules?
> For eaxmple, something like:
> 
> iptables -A FORWARD -i eth0 -p tcp -sport 1024: -dport 1024: -time
> 0700:1700 -j DROP
> 
> It would be nice ...
> 
> Ray
> -- 


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3265 bytes --]

Re: Time based rules ...

[Raymond Leach]

[-- Attachment #1: Type: text/plain, Size: 574 bytes --]

On Wed, 2002-11-13 at 18:00, Chris Poupart wrote:
> Couldn't you just use a CRON job to add and remove that rule at the 
> required times?
> 
Well that's what I'm doing, but it gets cumbersome when you have
multiple timeslots for different days, e.g. Weekends.

> -- Chris
> 
> Raymond Leach wrote:
> > Hi
> > 
> > Is there a way to put time restrictions on rules?
> > For eaxmple, something like:
> > 
> > iptables -A FORWARD -i eth0 -p tcp -sport 1024: -dport 1024: -time
> > 0700:1700 -j DROP
> > 
> > It would be nice ...
> > 
> > Ray
> > -- 
-- 

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

RE: Time based rules ...

[Raymond Leach]

[-- Attachment #1: Type: text/plain, Size: 638 bytes --]

On Wed, 2002-11-13 at 17:50, Rob Sterenborg wrote:
> > Is there a way to put time restrictions on rules?
> > For eaxmple, something like:
> >
> > iptables -A FORWARD -i eth0 -p tcp -sport 1024: -dport 1024: -time
> > 0700:1700 -j DROP
> 
> There is a time patch in pom (base).
> 
OK. Thanks I'll check it out.

> >From the website :
> This option adds CONFIG_IP_NF_MATCH_TIME, which supplies a time match
> module.
> This match allows you to filter based on the packet arrival time
> (arrival time at the machine which the netfilter is running on) or
> departure time (for locally generated packets).
> 
> 
> Rob
-- 

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Time based rules ...

[Raymond Leach]

[-- Attachment #1: Type: text/plain, Size: 945 bytes --]

Hi

Yes, all my chains default policies are set to DROP.

I believe in taking the paranoid approach to security: assume everything
is bad and then only allow what you know to go where you want it to. I'm
sure you know the cliche by now :- 'where do you want to go today?'

On Linux we know where we want to go ...

Ray

On Thu, 2002-11-14 at 07:08, Dharmendra.T wrote:
> What is the default polic you have set for? I guess it is by dropping all the 
> packets froom the forward chain and then you are allowing accordingly.
> Regards,
> Dharmendra.T
> Linux Security Expert
> www.nsecure.net
> dharmu@nsecure.net
> On Wednesday 13 November 2002 20:31, Raymond Leach wrote:
> > Hi
> >
> > Is there a way to put time restrictions on rules?
> > For eaxmple, something like:
> >
> > iptables -A FORWARD -i eth0 -p tcp -sport 1024: -dport 1024: -time
> > 0700:1700 -j DROP
> >
> > It would be nice ...
> >
> > Ray
-- 

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Time based rules ...

[Dharmendra.T]

What is the default polic you have set for? I guess it is by dropping all the 
packets froom the forward chain and then you are allowing accordingly.
Regards,
Dharmendra.T
Linux Security Expert
www.nsecure.net
dharmu@nsecure.net
On Wednesday 13 November 2002 20:31, Raymond Leach wrote:
> Hi
>
> Is there a way to put time restrictions on rules?
> For eaxmple, something like:
>
> iptables -A FORWARD -i eth0 -p tcp -sport 1024: -dport 1024: -time
> 0700:1700 -j DROP
>
> It would be nice ...
>
> Ray

-- 

Re: Time based rules ...

[Dharmendra.T]

But I don't think we can specify the time option in iptables. If any modules 
are there using which we can specify the time let us know.

Regards,
Dharmendra.T
Linux Security Expert
www.nsecure.net
dharmu@nsecure.net
On Thursday 14 November 2002 10:12, Raymond Leach wrote:
> Hi
>
> Yes, all my chains default policies are set to DROP.
>
> I believe in taking the paranoid approach to security: assume everything
> is bad and then only allow what you know to go where you want it to. I'm
> sure you know the cliche by now :- 'where do you want to go today?'
>
> On Linux we know where we want to go ...
>
> Ray
>
> On Thu, 2002-11-14 at 07:08, Dharmendra.T wrote:
> > What is the default polic you have set for? I guess it is by dropping all
> > the packets froom the forward chain and then you are allowing
> > accordingly. Regards,
> > Dharmendra.T
> > Linux Security Expert
> > www.nsecure.net
> > dharmu@nsecure.net
> >
> > On Wednesday 13 November 2002 20:31, Raymond Leach wrote:
> > > Hi
> > >
> > > Is there a way to put time restrictions on rules?
> > > For eaxmple, something like:
> > >
> > > iptables -A FORWARD -i eth0 -p tcp -sport 1024: -dport 1024: -time
> > > 0700:1700 -j DROP
> > >
> > > It would be nice ...
> > >
> > > Ray

-- 

Re: Time based rules ...

[Fabrice MARIE]

Hi,

On Thursday 14 November 2002 14:14, Dharmendra.T wrote:
> But I don't think we can specify the time option in iptables. If any
> modules are there using which we can specify the time let us know.
> [...]

You can have a look at:
http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO.html
and particularly at :
http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html#ss3.17

> > > On Wednesday 13 November 2002 20:31, Raymond Leach wrote:
> > > > Hi
> > > > Is there a way to put time restrictions on rules?
> > > > For eaxmple, something like:
> > > > iptables -A FORWARD -i eth0 -p tcp -sport 1024: -dport 1024: -time
> > > > 0700:1700 -j DROP
> > > > It would be nice ...
> > > > Ray

Have a nice day,

Fabrice.
--
Fabrice MARIE

"Silly hacker, root is for administrators"
       -Unknown

Re: Time based rules ...

[hare ram]

yes

P-O-m support the time module

please check the Netfilter

hare
----- Original Message -----
From: "Dharmendra.T" <dharmu@nsecure.net>
To: "Raymond Leach" <raymondl@knowledgefactory.co.za>
Cc: "Netfilter Mailing List" <netfilter@lists.netfilter.org>
Sent: Thursday, November 14, 2002 11:44 AM
Subject: Re: Time based rules ...


> But I don't think we can specify the time option in iptables. If any
modules
> are there using which we can specify the time let us know.
>
> Regards,
> Dharmendra.T
> Linux Security Expert
> www.nsecure.net
> dharmu@nsecure.net
> On Thursday 14 November 2002 10:12, Raymond Leach wrote:
> > Hi
> >
> > Yes, all my chains default policies are set to DROP.
> >
> > I believe in taking the paranoid approach to security: assume everything
> > is bad and then only allow what you know to go where you want it to. I'm
> > sure you know the cliche by now :- 'where do you want to go today?'
> >
> > On Linux we know where we want to go ...
> >
> > Ray
> >
> > On Thu, 2002-11-14 at 07:08, Dharmendra.T wrote:
> > > What is the default polic you have set for? I guess it is by dropping
all
> > > the packets froom the forward chain and then you are allowing
> > > accordingly. Regards,
> > > Dharmendra.T
> > > Linux Security Expert
> > > www.nsecure.net
> > > dharmu@nsecure.net
> > >
> > > On Wednesday 13 November 2002 20:31, Raymond Leach wrote:
> > > > Hi
> > > >
> > > > Is there a way to put time restrictions on rules?
> > > > For eaxmple, something like:
> > > >
> > > > iptables -A FORWARD -i eth0 -p tcp -sport 1024: -dport 1024: -time
> > > > 0700:1700 -j DROP
> > > >
> > > > It would be nice ...
> > > >
> > > > Ray
>
> --
>
>
>