From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Re: matching the first packet of a connection
Date: Thu, 05 May 2005 02:53:18 -0500 [thread overview]
Message-ID: <4279D0EE.2060706@riverviewtech.net> (raw)
In-Reply-To: <1115241663.5410.18.camel@porky>
> In the scope of the NuFW project we need to queue SYN packets for
> connection we want to authenticate (see http://www.nufw.org/ for details
> on principles). For a single connection we want to QUEUE only the first
> packet coming to the firewall (SYN packet in the case of TCP). All
> subsequent packets of the connection even if they are also SYN packet
> (if for example server is unreachable or does not exist) have to me
> authorized or drop depending of the decision taken on the first packet.
> In fact this is an extension of the ESTABLISHED or RELATED match.
After doing much deliberating and research I have come up with one thing that you might be able to try:
iptables -t filter -A FORWARD -i $LAN -o $INet -m state --state NEW -m connbytes ! --connbytes 1: --connbytes-dir original --connbytes-mode packets -j QUEUE
In theory this rule will look for and match against any packet that is passing from the $LAN to the $INet with a state of NEW and has NOT seen more than one packet coming from the original sending system. After reading about NuFW they are queuing packets via the QUEUE target.
Give this a shot and let me know what you think.
Grant. . . .
next prev parent reply other threads:[~2005-05-05 7:53 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-04 15:21 matching the first packet of a connection Eric Leblond
2005-05-04 17:43 ` George Alexandru Dragoi
2005-05-04 18:50 ` Eric Leblond
2005-05-04 17:57 ` Thomas Jones
2005-05-04 18:11 ` Daniel Lopes
2005-05-04 18:34 ` Jason Opperisano
2005-05-04 19:37 ` Taylor, Grant
2005-05-04 21:21 ` Eric Leblond
2005-05-04 21:36 ` Taylor, Grant
2005-05-05 7:53 ` Taylor, Grant [this message]
2005-05-04 21:30 ` Eric Leblond
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4279D0EE.2060706@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.