raw/NOTRACK + TARPIT = good idea?

raw/NOTRACK + TARPIT = good idea?

[Juan Carlos Castro y Castro]

I'm thinking about the TARPIT target, and that it's a shame it will use resources if my box does conntrack. But if I previously pass them through -t raw -j NOTRACK, can I have the best of both worlds, i.e., a routing NAT box who is able to tarpit undesired packets itself?

Re: raw/NOTRACK + TARPIT = good idea?

[Jozsef Kadlecsik]

On Fri, 21 Nov 2003, Juan Carlos Castro y Castro wrote:

> I'm thinking about the TARPIT target, and that it's a shame it will
> use resources if my box does conntrack. But if I previously pass them
> through -t raw -j NOTRACK, can I have the best of both worlds, i.e., a
> routing NAT box who is able to tarpit undesired packets itself?

Yes, but you have to take care both directions for the tarpitted
sessions. That's the price using the NOTRACK target.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: raw/NOTRACK + TARPIT = good idea?

[IP v6]

I would like to do this also but I don't quite understand what you mean with "take care both directions for the tarpitted sessions".

I'm a bit confused there, could you explain? :)

Wkr, Robby

> ----------------------------------------
> From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> Sent: Mon Nov 24 09:11:17 CET 2003
> To: Juan Carlos Castro y Castro <jcastro@vialink.com.br>
> Subject: Re: raw/NOTRACK + TARPIT = good idea?
> 
> 
> On Fri, 21 Nov 2003, Juan Carlos Castro y Castro wrote:
> 
> > I'm thinking about the TARPIT target, and that it's a shame it will
> > use resources if my box does conntrack. But if I previously pass them
> > through -t raw -j NOTRACK, can I have the best of both worlds, i.e., a
> > routing NAT box who is able to tarpit undesired packets itself?
> 
> Yes, but you have to take care both directions for the tarpitted
> sessions. That's the price using the NOTRACK target.
> 
> Best regards,
> Jozsef
> -
> E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : KFKI Research Institute for Particle and Nuclear Physics
>           H-1525 Budapest 114, POB. 49, Hungary
> 
> 
> 

-----------------------------------------------------
Mail.be, WebMail and Virtual Office
http://www.mail.be

Re: raw/NOTRACK + TARPIT = good idea?

[Henrik Nordstrom]

On Tue, 2 Dec 2003, IP v6 wrote:

> I would like to do this also but I don't quite understand what you mean
> with "take care both directions for the tarpitted sessions".

What I think Harald is saying is that you need to NOTRACK packets in both
directions of the TARPIT:ed sessions.  If not conntrack might pick up the
session on the first faked reply packet sent by TARPIT.

But then this does not seem to be the case. It seems TARPIT sends the
reply packets directly to the network interface bypassing the netfilter
hooks, so this does not seem to be needed.

Regards
Henrik