* Application order of match extensions
@ 2005-09-18 1:25 Dino Klein
0 siblings, 0 replies; only message in thread
From: Dino Klein @ 2005-09-18 1:25 UTC (permalink / raw)
To: netfilter
Hi,
While creating some rules for slowing down SSH attacks, I've ran into an
interesting question - what is the order in which match extensions are
processed? namely, does these two rules differ:
(1) -m tcp -m state -m recent --state NEW -p tcp --dport ssh --seconds
180 --hitcount 2 --update --name ssh -j REJECT
(2) -m tcp -m recent -m state --state NEW -p tcp --dport ssh --seconds
180 --hitcount 2 --update --name ssh -j REJECT
The only difference between the two is the order of the 'state' and
'recent' extensions.
The first one works as designed - reject new connections for IP
addresses that already have a hit-count of 2 and the last update
occurred no more than 180 seconds ago.
However, the second rule seems to apply the recent match first, and it
does so for any packet destined for port 22, so the '--update' takes
effect (assuming the hit count and time criteria are fulfilled). Only
then the state of the connection is examined. The effect of this is that
open connections end up affecting the count, and last-seen time in
respect to the 'recent' extension, and in essence the IP is blocked from
initiating any new connections.
So, is this how things are supposed to be, and always will? is the
application order of the match extensions determined by the order of how
they were specified on the command line?
I couldn't find info in the man page, so I was hoping someone could give
me an answer.
Thanks in advance.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2005-09-18 1:25 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-09-18 1:25 Application order of match extensions Dino Klein
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox