Re: input filter - Jason Opperisano

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jason Opperisano <opie@817west.com>
To: netfilter@lists.netfilter.org
Subject: Re: input filter
Date: Thu, 6 Jan 2005 11:08:06 -0500	[thread overview]
Message-ID: <20050106160806.GA28410@bender.817west.com> (raw)
In-Reply-To: <20050105223043.94871.qmail@web53908.mail.yahoo.com>

On Wed, Jan 05, 2005 at 02:30:43PM -0800, Bhasker Allam wrote:
> There are a few situations that I can think of:
> 
> - A spurious host/hosts sending garbage packets. If I
> know either source IP/subnet or mac address I can put
> in a filter and drop all the packets from spurious
> souces with minimal effort. Why should I spend cycles
> doing the route lookup ?

-t mangle PREROUTING is an acceptable place to do "first things first"
filtering/packet scrubbing.  it's where i do things like anti-spoofing
rules and invalid TCP flag combo rules.

> - I could do policy based routing. That is, I want
> packets from interface X or subnet S to go out on
> interface Y all the rest go via the normal routing
> path. From what I read this is not possible now.

whatcha been reading?  it's certainly possible:

  http://lartc.org/howto/lartc.rpdb.html

> - If I use my linux box a router I could have policies
> on different interface to do different things. For
> example, I might not want packets arriving from
> certain sources to reach certain destinations. It does
> not matter whether I am forwarding or not. You could
> say I could put that in the output filter, but my
> argument why should I have go through route lookup if
> I don't have to ?

you're starting to toe the line as to what should go in your normal
filter rules here--but that's just IMHO.

-j

--
"Beer. Now there's a temporary solution."
        --The Simpsons

     prev parent reply	other threads:[~2005-01-06 16:08 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-01-04 22:35 input filter Bhasker Allam
2005-01-05 15:48 ` Jason Opperisano
2005-01-05 17:06 ` Sky
2005-01-05 17:17 ` Georgi Alexandrov
2005-01-05 22:30   ` Bhasker Allam
2005-01-06 16:08     ` Jason Opperisano [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050106160806.GA28410@bender.817west.com \
    --to=opie@817west.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.