From: Georgi Alexandrov <georgi.alexandrov@gmail.com>
To: netfilter@lists.netfilter.org
Subject: Re: running commands when packet matched
Date: Mon, 05 Dec 2005 19:26:36 +0200 [thread overview]
Message-ID: <4394784C.8030800@gmail.com> (raw)
In-Reply-To: <1133655073.17460.4.camel@porky>
Eric Leblond wrote:
>On Sat, 2005-12-03 at 17:39 -0500, James Rhett Aultman wrote:
>
>
>>Dear Netfilter users,
>>
>> Again, to explain the mechanism I need: when the
>>machine encounters a packet matching a rule, I want the machine to run a
>>specific program and drop the packet.
>>
>>Is something like this possible using iptables or another netfilter project?
>>
>>
>
>Yes, just use the QUEUE or NFQUEUE target. This send packet to userspace
>and there you can do what you want. In your case, match and accept the
>packets and then a match is done, do your job ....
>
>If you need some code example, you can have a look at NuFW :
> http://www.nufw.org/
>
>By the way, you could also have a look at ulogd2 which brings some
>features that may interest you :
> http://svn.gnumonks.org/branches/ulog/ulogd2/
>
>
>BR,
>
>
But actually the truth is that this a job for a IDS/IPS such as
Snort(.org), not netfilter.
A cite from: http://www.snort.org/docs/faq/1Q05/node91.html
" But one caveat... running external binaries can also be a performance
limiter and your should read the caution below...
CHRISTOPHER CRAMER wrote:
I'm sure this has been mentioned before in similar discussions, but
this feels like a _really_ bad idea. What if the bad guys realize
what is going on and make use of your blocking method as a DoS
attack. All one would have to do start sending a series of
triggering packets with spoofed IP addresses.
Since I am no longer interested in breaking into your site, but
rather making your life hell, I don't worry about the resulting data
getting back to me. All I have to do is start proceeding up a list
of IP addresses that I think you should no longer be able to talk
to. When you come in the next morning, you find that you can no
longer access the world.
Just my $0.02.
Danger Will Robinson: Conventional wisdom says that auto-blocking is
inherently dangerous."
Enjoy! :-)
Georgi Alexandrov
next prev parent reply other threads:[~2005-12-05 17:26 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-12-03 22:39 running commands when packet matched James Rhett Aultman
2005-12-04 0:11 ` Eric Leblond
2005-12-05 17:26 ` Georgi Alexandrov [this message]
2005-12-05 17:48 ` James Rhett Aultman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4394784C.8030800@gmail.com \
--to=georgi.alexandrov@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.