From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark Frey Subject: Re: How to ignore incoming packets Date: Thu, 28 Aug 2003 19:47:43 -0400 Sender: linux-diald-owner@vger.kernel.org Message-ID: <3F4E949F.1020701@sympatico.ca> References: <3F4CBDEC.6F623298@f3g.de> <3F4D244B.1030109@sympatico.ca> <3F4DBAF8.BBF8B7FA@f3g.de> <3F4DE6C1.7050304@sympatico.ca> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <3F4DE6C1.7050304@sympatico.ca> List-Id: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Sudheimer Cc: linux-diald@vger.kernel.org Hi Joachim, I've created a new template rule file here and it seems to be working well :-) All the rules match only on my own dynamic source address, thus ignoring *anything* coming in. If I don't originate packets the link will not be kept up. This assumes the firewall drops everything not associated with an allowed connection and does not generate reject packets. I might have to add some specific rules if I need for example incoming udp streaming media to keep the link up if the protocol does not generate periodic outgoing packets back to the server... Here's the bare-bones template file: # Rule for while offline, proxy address: accept any 120 ip.saddr=192.168.0.1 # Rules for when we're online: # Keep up for 29 minutes after last web access accept tcp 1740 ip.saddr=192.168.255.255,tcp.dest=tcp.http accept tcp 1740 ip.saddr=192.168.255.255,tcp.dest=tcp.https # Keep link up for a while after popping mail accept tcp 900 ip.saddr=192.168.255.255,tcp.dest=tcp.pop3 # Once the link is no longer live, we try to shut down the connection # quickly. Note that if the link is already down, a state change # will not bring it back up. keepup tcp 30 ip.saddr=192.168.255.255,!tcp.live # 2 minutes for anything else we originate accept any 120 ip.saddr=192.168.255.255 --------- And, the commands to put in the ip-up script (your file and fifo locations may vary): # adjust filters for our current ip address: cat /usr/lib/diald/our.filter.template | sed s/192.168.255.255/$3/g >/usr/lib/diald/our.filter echo reset > /etc/diald/diald.ctl Mark. Mark Frey wrote: > Hi Joachim, > > Thank you for pointing out the reset command! > > Diald passes your ip address to the ip-up script, if defined. You could > make a template rule file with a unique pattern everywhere you want your > own ip address to be, with lines something like this: > > ignore tcp ip.daddr=192.168.255.255,tcp.dest=tcp.telnet > > Then in the ip-up script ($3 contains the new local IP address): > > cat template_file | sed s/192.168.255.255/$3/g >diald_rule_file > echo reset >/var/run/diald.fifo > > I'll see if I can find time to try this out here. > > Mark. > >