From: Georgi Alexandrov <georgi.alexandrov@gmail.com>
To: netfilter@lists.netfilter.org
Subject: Re: running commands when packet matched
Date: Mon, 05 Dec 2005 19:26:36 +0200 [thread overview]
Message-ID: <4394784C.8030800@gmail.com> (raw)
In-Reply-To: <1133655073.17460.4.camel@porky>
Eric Leblond wrote:
>On Sat, 2005-12-03 at 17:39 -0500, James Rhett Aultman wrote:
>
>
>>Dear Netfilter users,
>>
>> Again, to explain the mechanism I need: when the
>>machine encounters a packet matching a rule, I want the machine to run a
>>specific program and drop the packet.
>>
>>Is something like this possible using iptables or another netfilter project?
>>
>>
>
>Yes, just use the QUEUE or NFQUEUE target. This send packet to userspace
>and there you can do what you want. In your case, match and accept the
>packets and then a match is done, do your job ....
>
>If you need some code example, you can have a look at NuFW :
> http://www.nufw.org/
>
>By the way, you could also have a look at ulogd2 which brings some
>features that may interest you :
> http://svn.gnumonks.org/branches/ulog/ulogd2/
>
>
>BR,
>
>
But actually the truth is that this a job for a IDS/IPS such as
Snort(.org), not netfilter.
A cite from: http://www.snort.org/docs/faq/1Q05/node91.html
" But one caveat... running external binaries can also be a performance
limiter and your should read the caution below...
CHRISTOPHER CRAMER wrote:
I'm sure this has been mentioned before in similar discussions, but
this feels like a _really_ bad idea. What if the bad guys realize
what is going on and make use of your blocking method as a DoS
attack. All one would have to do start sending a series of
triggering packets with spoofed IP addresses.
Since I am no longer interested in breaking into your site, but
rather making your life hell, I don't worry about the resulting data
getting back to me. All I have to do is start proceeding up a list
of IP addresses that I think you should no longer be able to talk
to. When you come in the next morning, you find that you can no
longer access the world.
Just my $0.02.
Danger Will Robinson: Conventional wisdom says that auto-blocking is
inherently dangerous."
Enjoy! :-)
Georgi Alexandrov
next prev parent reply other threads:[~2005-12-05 17:26 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-12-03 22:39 running commands when packet matched James Rhett Aultman
2005-12-04 0:11 ` Eric Leblond
2005-12-05 17:26 ` Georgi Alexandrov [this message]
2005-12-05 17:48 ` James Rhett Aultman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4394784C.8030800@gmail.com \
--to=georgi.alexandrov@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox