From: "Mark E. Donaldson" <markee@bandwidthco.com>
To: mpdykeman@micron.com, netfilter@lists.netfilter.org
Subject: RE: Netfilter connection management
Date: Tue, 25 Nov 2003 08:45:00 -0800 [thread overview]
Message-ID: <200311251645.hAPGjNiu032437@server5.bandwidthco.com> (raw)
In-Reply-To: <040405FAA8D7CD41BCA471B1A3451EE305AA7A@ntxboimbx08.micron.com>
[-- Attachment #1: Type: text/plain, Size: 2238 bytes --]
Well I'm certainly no smatter than Jeff, but I will offer you an answer
based on what I would do if I were to attempt what you are trying to do.
First of all, and someone will surely correct me if I'm wrong here, I don
not beleive IPTables offers any built-in means to manipulate the connection
tables from user space. However, there is a very nice free tool (perl
script) out there called Conntrack Viewer (get it here
http://cv.intellos.net/) which reads and formats netfilter connection
tables. You could simply write an additional perl script which continually
calls, refreshes, and parses the output of Conntrack Viewer, looking for the
desired connection states. When one is found, because perl can do so well
what perl does, cutter then could be called to deal with this connection. I
know this isn't exactly what you are looking for, but it should get the job
done.
_____
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of
mpdykeman@micron.com
Sent: Monday, November 24, 2003 10:26 AM
To: netfilter@lists.netfilter.org
Subject: Netfilter connection management
Hello,
I posted a more verbose message and did not get any replies earlier. So
please forgive me if I am appearing a bit clueless.
Is there anyway using Iptables or some other command-line tool to manage the
Netfilter connection hash tables? More specifically, I would like to be able
remove ASSURED connections as a component of a method to cut off existing
connections that are suspect of virus activity. I really don't want to use a
tool like cutter to send RST's.It just seems that it would be much cleaner
to directly manipulate the hash.
Also, I have been noticing some occasional problems with ASSURED entries
possibly disappearing from the Netfilter connection hash (causing a rule
which checks for packets without SYN and not ESTABLISHED to start dropping
packets which kills legitimate connections) and I'm trying to find a way to
log or somehow determine what caused the entry to be removed..I'm not sure
logging RST's or FIN's will locate all reasons for a table entry drop.
Any assistance or helpful direction someone could provide me would be
appreciated.
Thanx.
-- Markley Dykeman
[-- Attachment #2: Type: text/html, Size: 3286 bytes --]
prev parent reply other threads:[~2003-11-25 16:45 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-11-24 18:25 Netfilter connection management mpdykeman
2003-11-24 18:50 ` Jeffrey Laramie
2003-11-25 16:45 ` Mark E. Donaldson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200311251645.hAPGjNiu032437@server5.bandwidthco.com \
--to=markee@bandwidthco.com \
--cc=mpdykeman@micron.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.