* connectionless port forwarding
@ 2006-02-24 13:03 Giacomo A. Catenazzi
2006-02-28 14:06 ` Rob Sterenborg
0 siblings, 1 reply; 2+ messages in thread
From: Giacomo A. Catenazzi @ 2006-02-24 13:03 UTC (permalink / raw)
To: netfilter
Hello.
I'm searching if I can do (or why not) a connectionless
port forwarding. Google didn't help me, and now I'm
using a std port forwarding using nat tables, but
a smaller solution is better IMHO.
I admin an "high" traffic web site. In last time there was
an huge increment of web-spam/blog-spam traffic, which I would
avoid.
I want to direct traffic from a blacklist into
an other port, so that a simple http server will
advise user (and offer a graphical challenge) to unblock.
Practically I want to mangle the port of blacklist-originated
packets, from 80 to 81, and the opposite for outgoing traffic.
Port 81 will be firewalled from extern, so I think there cannot
be problem with connection identification / collision.
Would it be possible?
Would it be lighter than std nat solution (and conncetion tracking)?
Are there already some netfilter module? (or
i should implement myself one?)
ciao
cate
PS: please CC: me. It is easier to reply
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: connectionless port forwarding
2006-02-24 13:03 connectionless port forwarding Giacomo A. Catenazzi
@ 2006-02-28 14:06 ` Rob Sterenborg
0 siblings, 0 replies; 2+ messages in thread
From: Rob Sterenborg @ 2006-02-28 14:06 UTC (permalink / raw)
To: Giacomo A. Catenazzi; +Cc: netfilter
On Fri, February 24, 2006 14:03, Giacomo A. Catenazzi wrote:
> Hello.
>
> I'm searching if I can do (or why not) a connectionless port
> forwarding. Google didn't help me, and now I'm using a std
> port forwarding using nat tables, but a smaller solution is
> better IMHO.
>
> I admin an "high" traffic web site. In last time there was
> an huge increment of web-spam/blog-spam traffic, which I would
> avoid.
>
> I want to direct traffic from a blacklist into an other port,
> so that a simple http server will advise user (and offer a
> graphical challenge) to unblock.
>
> Practically I want to mangle the port of blacklist-originated
> packets, from 80 to 81, and the opposite for outgoing traffic.
> Port 81 will be firewalled from extern, so I think there cannot
> be problem with connection identification / collision.
>
> Would it be possible?
I don't think so.
http://www.netfilter.org/projects/patch-o-matic/pom-submitted.html#pom-submitted-raw
<quote>
The NOTRACK target can be used to select which packets *not*
to enter the conntrack/NAT subsystems. Please keep in mind:
if you mark a packet with NOTRACK, then
- all the conntrack functionalities are lost for the packet
(ICMP error tracking, protocol helpers, etc)
- all the NAT functionalities are also lost.
</quote>
Portforwarding is a form of NAT (DNAT) so you'd lose the functionality you need.
> Would it be lighter than std nat solution (and conncetion tracking)?
> Are there already some netfilter module? (or i should implement
> myself one?)
Maybe another possibility exists that I'm not aware of..
(Comes to mind, if you run a webserver on the firewall that hosts the webpages
you want to show the users on the blacklist, you probably wouldn't need
conntrack/NAT. However, running servers on a firewall is considered bad
practice and I'm not sure I'd do this in a high volume site like you
mentioned.)
Gr,
Rob
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-02-28 14:06 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-02-24 13:03 connectionless port forwarding Giacomo A. Catenazzi
2006-02-28 14:06 ` Rob Sterenborg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox