From: Eric Leblond <eleblond@inl.fr>
To: "Taylor, Grant" <gtaylor@riverviewtech.net>
Cc: netfilter@lists.netfilter.org
Subject: Re: matching the first packet of a connection
Date: Wed, 04 May 2005 23:21:02 +0200 [thread overview]
Message-ID: <1115241663.5410.18.camel@porky> (raw)
In-Reply-To: <4279248D.9090903@riverviewtech.net>
Hi,
Problem seems difficult to explain, here's the detail :
In the scope of the NuFW project we need to queue SYN packets for
connection we want to authenticate (see http://www.nufw.org/ for details
on principles). For a single connection we want to QUEUE only the first
packet coming to the firewall (SYN packet in the case of TCP). All
subsequent packets of the connection even if they are also SYN packet
(if for example server is unreachable or does not exist) have to me
authorized or drop depending of the decision taken on the first packet.
In fact this is an extension of the ESTABLISHED or RELATED match.
I hope my problem is clearly explained this time.
BR and thanks for the help
On Wed, 2005-05-04 at 14:37 -0500, Taylor, Grant wrote:
> > I'm trying to match the first packet of a connection : for a TCP
> > connection I want to match the first SYN packet received by the firewall
> > and ignore the possible reemission, in fact I want to accept them.
> >
> > Is this possible ?
> >
> > I've try to use the conntrack module but I was not successful.
>
> Question: Are you wanting to just silently DROP the first connection attempt and force people to try to reconnect via retransmission of the SYN packet? If that is the case you will want to do something out side of the connection tracking match extensions that exist because (as far as I know and understand) they all deal within a given connection. You are really wanting to break / prevent one connection attempt and then allow the subsequent ones. Or at least that's how I understand what you have written. I have a feeling that you will be playing with the recent or set match extensions where you add a connection attempt to a recent list or set list while dropping the first connection attempt packet. Subsequent connection attempt packets can then be matched against the recent list or set list to see if there has been a connection attempt dropped and if so accept the present connecti
on attempt.
>
> If you give me more to work with I might be able to come up with a rule set to help you out.
>
>
>
> Grant. . . .
>
--
Eric Leblond <eric@regit.org>
NuFW, Now User Filtering Works : http://www.nufw.org
next prev parent reply other threads:[~2005-05-04 21:21 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-04 15:21 matching the first packet of a connection Eric Leblond
2005-05-04 17:43 ` George Alexandru Dragoi
2005-05-04 18:50 ` Eric Leblond
2005-05-04 17:57 ` Thomas Jones
2005-05-04 18:11 ` Daniel Lopes
2005-05-04 18:34 ` Jason Opperisano
2005-05-04 19:37 ` Taylor, Grant
2005-05-04 21:21 ` Eric Leblond [this message]
2005-05-04 21:36 ` Taylor, Grant
2005-05-05 7:53 ` Taylor, Grant
2005-05-04 21:30 ` Eric Leblond
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1115241663.5410.18.camel@porky \
--to=eleblond@inl.fr \
--cc=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.