From: Mark Frey <markfrey@sympatico.ca>
To: Sudheimer <sudix@f3g.de>
Cc: linux-diald@vger.kernel.org
Subject: Re: How to ignore incoming packets
Date: Thu, 28 Aug 2003 19:47:43 -0400 [thread overview]
Message-ID: <3F4E949F.1020701@sympatico.ca> (raw)
In-Reply-To: <3F4DE6C1.7050304@sympatico.ca>
Hi Joachim,
I've created a new template rule file here and it seems to be working
well :-)
All the rules match only on my own dynamic source address, thus ignoring
*anything* coming in. If I don't originate packets the link will not be
kept up. This assumes the firewall drops everything not associated with
an allowed connection and does not generate reject packets.
I might have to add some specific rules if I need for example incoming
udp streaming media to keep the link up if the protocol does not
generate periodic outgoing packets back to the server...
Here's the bare-bones template file:
# Rule for while offline, proxy address:
accept any 120 ip.saddr=192.168.0.1
# Rules for when we're online:
# Keep up for 29 minutes after last web access
accept tcp 1740 ip.saddr=192.168.255.255,tcp.dest=tcp.http
accept tcp 1740 ip.saddr=192.168.255.255,tcp.dest=tcp.https
# Keep link up for a while after popping mail
accept tcp 900 ip.saddr=192.168.255.255,tcp.dest=tcp.pop3
# Once the link is no longer live, we try to shut down the connection
# quickly. Note that if the link is already down, a state change
# will not bring it back up.
keepup tcp 30 ip.saddr=192.168.255.255,!tcp.live
# 2 minutes for anything else we originate
accept any 120 ip.saddr=192.168.255.255
---------
And, the commands to put in the ip-up script (your file and fifo
locations may vary):
# adjust filters for our current ip address:
cat /usr/lib/diald/our.filter.template | sed s/192.168.255.255/$3/g
>/usr/lib/diald/our.filter
echo reset > /etc/diald/diald.ctl
Mark.
Mark Frey wrote:
> Hi Joachim,
>
> Thank you for pointing out the reset command!
>
> Diald passes your ip address to the ip-up script, if defined. You could
> make a template rule file with a unique pattern everywhere you want your
> own ip address to be, with lines something like this:
>
> ignore tcp ip.daddr=192.168.255.255,tcp.dest=tcp.telnet
>
> Then in the ip-up script ($3 contains the new local IP address):
>
> cat template_file | sed s/192.168.255.255/$3/g >diald_rule_file
> echo reset >/var/run/diald.fifo
>
> I'll see if I can find time to try this out here.
>
> Mark.
>
>
next prev parent reply other threads:[~2003-08-28 23:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-08-27 14:19 How to ignore incoming packets Sudheimer
2003-08-27 21:36 ` Mark Frey
2003-08-28 8:19 ` Sudheimer
2003-08-28 11:25 ` Mark Frey
2003-08-28 23:47 ` Mark Frey [this message]
2003-08-29 16:34 ` sudix
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3F4E949F.1020701@sympatico.ca \
--to=markfrey@sympatico.ca \
--cc=linux-diald@vger.kernel.org \
--cc=sudix@f3g.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.