* Netfilter connection management
@ 2003-11-24 18:25 mpdykeman
2003-11-24 18:50 ` Jeffrey Laramie
2003-11-25 16:45 ` Mark E. Donaldson
0 siblings, 2 replies; 3+ messages in thread
From: mpdykeman @ 2003-11-24 18:25 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 1136 bytes --]
Hello,
I posted a more verbose message and did not get any replies earlier. So
please forgive me if I am appearing a bit clueless.
Is there anyway using Iptables or some other command-line tool to manage
the Netfilter connection hash tables? More specifically, I would like to
be able remove ASSURED connections as a component of a method to cut off
existing connections that are suspect of virus activity. I really don't
want to use a tool like cutter to send RST's...It just seems that it
would be much cleaner to directly manipulate the hash.
Also, I have been noticing some occasional problems with ASSURED entries
possibly disappearing from the Netfilter connection hash (causing a rule
which checks for packets without SYN and not ESTABLISHED to start
dropping packets which kills legitimate connections) and I'm trying to
find a way to log or somehow determine what caused the entry to be
removed....I'm not sure logging RST's or FIN's will locate all reasons
for a table entry drop.
Any assistance or helpful direction someone could provide me would be
appreciated.
Thanx.
-- Markley Dykeman
[-- Attachment #2: Type: text/html, Size: 1779 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Netfilter connection management
2003-11-24 18:25 Netfilter connection management mpdykeman
@ 2003-11-24 18:50 ` Jeffrey Laramie
2003-11-25 16:45 ` Mark E. Donaldson
1 sibling, 0 replies; 3+ messages in thread
From: Jeffrey Laramie @ 2003-11-24 18:50 UTC (permalink / raw)
To: netfilter
mpdykeman@micron.com wrote:
> Hello,
>
> I posted a more verbose message and did not get any replies earlier.
> So please forgive me if I am appearing a bit clueless.
>
I think most of the usual responders are taking a long weekend off. I've
been trying to field a few of the easy questions that were sitting
unanswered but this is way out of my league. If you don't get an answer
today try to re-post it every few days. It's a good question and one of
the smart people will see it eventually ;-)
Jeff
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: Netfilter connection management
2003-11-24 18:25 Netfilter connection management mpdykeman
2003-11-24 18:50 ` Jeffrey Laramie
@ 2003-11-25 16:45 ` Mark E. Donaldson
1 sibling, 0 replies; 3+ messages in thread
From: Mark E. Donaldson @ 2003-11-25 16:45 UTC (permalink / raw)
To: mpdykeman, netfilter
[-- Attachment #1: Type: text/plain, Size: 2238 bytes --]
Well I'm certainly no smatter than Jeff, but I will offer you an answer
based on what I would do if I were to attempt what you are trying to do.
First of all, and someone will surely correct me if I'm wrong here, I don
not beleive IPTables offers any built-in means to manipulate the connection
tables from user space. However, there is a very nice free tool (perl
script) out there called Conntrack Viewer (get it here
http://cv.intellos.net/) which reads and formats netfilter connection
tables. You could simply write an additional perl script which continually
calls, refreshes, and parses the output of Conntrack Viewer, looking for the
desired connection states. When one is found, because perl can do so well
what perl does, cutter then could be called to deal with this connection. I
know this isn't exactly what you are looking for, but it should get the job
done.
_____
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of
mpdykeman@micron.com
Sent: Monday, November 24, 2003 10:26 AM
To: netfilter@lists.netfilter.org
Subject: Netfilter connection management
Hello,
I posted a more verbose message and did not get any replies earlier. So
please forgive me if I am appearing a bit clueless.
Is there anyway using Iptables or some other command-line tool to manage the
Netfilter connection hash tables? More specifically, I would like to be able
remove ASSURED connections as a component of a method to cut off existing
connections that are suspect of virus activity. I really don't want to use a
tool like cutter to send RST's.It just seems that it would be much cleaner
to directly manipulate the hash.
Also, I have been noticing some occasional problems with ASSURED entries
possibly disappearing from the Netfilter connection hash (causing a rule
which checks for packets without SYN and not ESTABLISHED to start dropping
packets which kills legitimate connections) and I'm trying to find a way to
log or somehow determine what caused the entry to be removed..I'm not sure
logging RST's or FIN's will locate all reasons for a table entry drop.
Any assistance or helpful direction someone could provide me would be
appreciated.
Thanx.
-- Markley Dykeman
[-- Attachment #2: Type: text/html, Size: 3286 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-11-25 16:45 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-11-24 18:25 Netfilter connection management mpdykeman
2003-11-24 18:50 ` Jeffrey Laramie
2003-11-25 16:45 ` Mark E. Donaldson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.