selective connection tracking?

Linux Netfilter discussions
 help / color / mirror / Atom feed

* selective connection tracking?
@ 2004-05-12 17:42 fming
  2004-05-12 17:53 ` clister
                   ` (2 more replies)
  0 siblings, 3 replies; 7+ messages in thread
From: fming @ 2004-05-12 17:42 UTC (permalink / raw)
  To: netfilter

Hi,

I am from the FreeBSD/ipfilter world. I recently switched to Linux and 
netfilter. One question I have with netfilter connection tracking is whether 
there I can instruct the connection tracking to selectively tracking 
connections.

Looks to me once I loaded the conn_track modules, everything was tracked. Is 
there a way I can specify, for example, that I only want http to be tracked? 
All other traffic will be dropped anyway, tracked or not.

Regards,
Ming

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: selective connection tracking?
  2004-05-12 17:42 selective connection tracking? fming
@ 2004-05-12 17:53 ` clister
  2004-05-12 18:05   ` Antony Stone
  2004-05-12 17:58 ` Antony Stone
  2004-05-13 16:28 ` Michael Gale
  2 siblings, 1 reply; 7+ messages in thread
From: clister @ 2004-05-12 17:53 UTC (permalink / raw)
  To: netfilter

i think , thereis a raw target on POM and something as NOTRACK in order to 
ignore conntracking for those connections... 
Try it

El Miércoles, 12 de Mayo de 2004 19:42, fming@borderware.com escribió:
> Hi,
>
> I am from the FreeBSD/ipfilter world. I recently switched to Linux and
> netfilter. One question I have with netfilter connection tracking is
> whether there I can instruct the connection tracking to selectively
> tracking connections.
>
> Looks to me once I loaded the conn_track modules, everything was tracked.
> Is there a way I can specify, for example, that I only want http to be
> tracked? All other traffic will be dropped anyway, tracked or not.
>
> Regards,
> Ming


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: selective connection tracking?
  2004-05-12 17:53 ` clister
@ 2004-05-12 18:05   ` Antony Stone
  0 siblings, 0 replies; 7+ messages in thread
From: Antony Stone @ 2004-05-12 18:05 UTC (permalink / raw)
  To: netfilter

On Wednesday 12 May 2004 6:53 pm, clister wrote:

> i think , thereis a raw target on POM and something as NOTRACK in order to
> ignore conntracking for those connections...

Oh dear :(   Maybe I am getting out of date :)

Regards,

Antony.

-- 
This email was created using 100% recycled electrons.

                                                     Please reply to the list;
                                                           please don't CC me.



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: selective connection tracking?
  2004-05-12 17:42 selective connection tracking? fming
  2004-05-12 17:53 ` clister
@ 2004-05-12 17:58 ` Antony Stone
  2004-05-12 18:50   ` fming
  2004-05-13 16:28 ` Michael Gale
  2 siblings, 1 reply; 7+ messages in thread
From: Antony Stone @ 2004-05-12 17:58 UTC (permalink / raw)
  To: netfilter

On Wednesday 12 May 2004 6:42 pm, fming@borderware.com wrote:

> Hi,
>
> I am from the FreeBSD/ipfilter world.   I recently switched to Linux and
> netfilter.

Welcome to our world :)

> One question I have with netfilter connection tracking is whether there I
> can instruct the connection tracking to selectively tracking connections.

No.

> Looks to me once I loaded the conn_track modules, everything was tracked.

Correct.

> Is there a way I can specify, for example, that I only want http to be
> tracked? All other traffic will be dropped anyway, tracked or not.

If it's going to be dropped, there won't be a connection, therefore the other 
traffic won't consume any connection tracking resources.

Regards,

Antony.

-- 
How I want a drink, alcoholic of course, after the heavy chapters involving 
quantum mechanics.

 - 3.14159265358979

                                                     Please reply to the list;
                                                           please don't CC me.



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: selective connection tracking?
  2004-05-12 17:58 ` Antony Stone
@ 2004-05-12 18:50   ` fming
  0 siblings, 0 replies; 7+ messages in thread
From: fming @ 2004-05-12 18:50 UTC (permalink / raw)
  To: netfilter, Antony Stone

Quoting Antony Stone <Antony@Soft-Solutions.co.uk>:
> 
> 
> > Looks to me once I loaded the conn_track modules, everything was
> tracked.
> 
> Correct.
> 
> > Is there a way I can specify, for example, that I only want http to
> be
> > tracked? All other traffic will be dropped anyway, tracked or not.
> 
> If it's going to be dropped, there won't be a connection, therefore the
> other 
> traffic won't consume any connection tracking resources.

I believe the connection tracking is useful for the FORWARD filter, however, 
for the INPUT filter, its the job of Linux TCP/UDP to take care of those 
things. Keep another set of stat below the IP layer does not make sense to me. 
The upper layer protocol has a better knowledge of the connection state than 
the conn_track anyway.

> 
> Regards,
> 
> Antony.
> 
> -- 
> How I want a drink, alcoholic of course, after the heavy chapters
> involving 
> quantum mechanics.
> 
>  - 3.14159265358979
> 
>                                                      Please reply to the
> list;
>                                                            please don't
> CC me.
> 
> 


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: selective connection tracking?
  2004-05-12 17:42 selective connection tracking? fming
  2004-05-12 17:53 ` clister
  2004-05-12 17:58 ` Antony Stone
@ 2004-05-13 16:28 ` Michael Gale
  2004-05-13 16:35   ` Michael Gale
  2 siblings, 1 reply; 7+ messages in thread
From: Michael Gale @ 2004-05-13 16:28 UTC (permalink / raw)
  To: netfilter, fming

Hello Ming,

	I thought you could do connection tracking per port for example if you where
forwarding / allowing out http and ssh but then wanted to block SSH.

At first you would have:

iptables -A forward -i eth1 -o eth0 -s internalnetwork -p tcp --dport 80 -match
state --state ESTABLISHED,NEW -j ACCEPT

iptables -A forward -i eth1 -o eth0 -s internalnetwork -p tcp --dport 22 -match
state --state ESTABLISHED,NEW -j ACCEPT

Would allow port 80 and port 22 new or established connections, then if you
removed the rule for port 22 and had a default policy of deny then SSH
connections should be dropped.

Michael.



On Wed, 12 May 2004 13:42:03 -0400 (EDT)
fming@borderware.com wrote:

> Hi,
> 
> I am from the FreeBSD/ipfilter world. I recently switched to Linux and 
> netfilter. One question I have with netfilter connection tracking is whether 
> there I can instruct the connection tracking to selectively tracking 
> connections.
> 
> Looks to me once I loaded the conn_track modules, everything was tracked. Is 
> there a way I can specify, for example, that I only want http to be tracked? 
> All other traffic will be dropped anyway, tracked or not.
> 
> Regards,
> Ming
> 
> 
> 
> 
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: selective connection tracking?
  2004-05-13 16:28 ` Michael Gale
@ 2004-05-13 16:35   ` Michael Gale
  0 siblings, 0 replies; 7+ messages in thread
From: Michael Gale @ 2004-05-13 16:35 UTC (permalink / raw)
  To: netfilter, fming


Sorry I misunderstood the question.

Michael.



On Thu, 13 May 2004 10:28:29 -0600
Michael Gale <michael.gale@utilitran.com> wrote:

> Hello Ming,
> 
> 	I thought you could do connection tracking per port for example if you
> 	where
> forwarding / allowing out http and ssh but then wanted to block SSH.
> 
> At first you would have:
> 
> iptables -A forward -i eth1 -o eth0 -s internalnetwork -p tcp --dport 80
> -match state --state ESTABLISHED,NEW -j ACCEPT
> 
> iptables -A forward -i eth1 -o eth0 -s internalnetwork -p tcp --dport 22
> -match state --state ESTABLISHED,NEW -j ACCEPT
> 
> Would allow port 80 and port 22 new or established connections, then if you
> removed the rule for port 22 and had a default policy of deny then SSH
> connections should be dropped.
> 
> Michael.
> 
> 
> 
> On Wed, 12 May 2004 13:42:03 -0400 (EDT)
> fming@borderware.com wrote:
> 
> > Hi,
> > 
> > I am from the FreeBSD/ipfilter world. I recently switched to Linux and 
> > netfilter. One question I have with netfilter connection tracking is whether
> > there I can instruct the connection tracking to selectively tracking 
> > connections.
> > 
> > Looks to me once I loaded the conn_track modules, everything was tracked. Is
> > there a way I can specify, for example, that I only want http to be tracked?
> > All other traffic will be dropped anyway, tracked or not.
> > 
> > Regards,
> > Ming
> > 
> > 
> > 
> > 
> > 
> 
> 
> -- 
> Michael Gale
> Network Administrator
> Utilitran Corporation
> 
> 
> 
> 
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2004-05-13 16:35 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-05-12 17:42 selective connection tracking? fming
2004-05-12 17:53 ` clister
2004-05-12 18:05   ` Antony Stone
2004-05-12 17:58 ` Antony Stone
2004-05-12 18:50   ` fming
2004-05-13 16:28 ` Michael Gale
2004-05-13 16:35   ` Michael Gale

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox