From: Dino Klein <zagzag-lists@speakeasy.net>
To: netfilter@lists.netfilter.org
Subject: Application order of match extensions
Date: Sat, 17 Sep 2005 21:25:00 -0400 [thread overview]
Message-ID: <432CC1EC.20105@speakeasy.net> (raw)
Hi,
While creating some rules for slowing down SSH attacks, I've ran into an
interesting question - what is the order in which match extensions are
processed? namely, does these two rules differ:
(1) -m tcp -m state -m recent --state NEW -p tcp --dport ssh --seconds
180 --hitcount 2 --update --name ssh -j REJECT
(2) -m tcp -m recent -m state --state NEW -p tcp --dport ssh --seconds
180 --hitcount 2 --update --name ssh -j REJECT
The only difference between the two is the order of the 'state' and
'recent' extensions.
The first one works as designed - reject new connections for IP
addresses that already have a hit-count of 2 and the last update
occurred no more than 180 seconds ago.
However, the second rule seems to apply the recent match first, and it
does so for any packet destined for port 22, so the '--update' takes
effect (assuming the hit count and time criteria are fulfilled). Only
then the state of the connection is examined. The effect of this is that
open connections end up affecting the count, and last-seen time in
respect to the 'recent' extension, and in essence the IP is blocked from
initiating any new connections.
So, is this how things are supposed to be, and always will? is the
application order of the match extensions determined by the order of how
they were specified on the command line?
I couldn't find info in the man page, so I was hoping someone could give
me an answer.
Thanks in advance.
reply other threads:[~2005-09-18 1:25 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=432CC1EC.20105@speakeasy.net \
--to=zagzag-lists@speakeasy.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox