From: Jeff <Jeff.Meyers@gmx.net>
To: "André Paulsberg-Csibi" <Andre.Paulsberg-Csibi@evry.com>,
"netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: Accept clients that were seen at least twice only
Date: Wed, 26 Aug 2015 14:51:50 +0200 [thread overview]
Message-ID: <55DDB666.60709@gmx.net> (raw)
In-Reply-To: <838AB161BE491743AE3CA3A916CF1CC648C8D8E2@CCDEX015.corp.corpcommon.com>
Could be 2x SYN or 2x UDP or 2x ICMP. Any of that kind shall allow the
2nd packet to pass since I can - at least for now - assume, that this is
not a random flood with spoofed IPs. Of course only within a certain
time frame like 10-30 seconds and not infinite.
Best,
Jeff
Am 26.08.2015 um 14:46 schrieb André Paulsberg-Csibi:
> One short question , do you mean clients that send you 2 or more SYN packets in the same session ?
>
> Or just send ANY 2 packets in the same "session" , or even "worse" 2 times whatever the packet type ?
>
>
> Best regards
> André Paulsberg-Csibi
> Senior Network Engineer
> Fault Handling
> EVRY Nordic Operations AS
> andre.paulsberg-csibi@evry.com
> M +47 9070 5988
>
>
>
>
> -----Original Message-----
> From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Jeff
> Sent: 26. august 2015 14:22
> To: netfilter@vger.kernel.org
> Subject: Accept clients that were seen at least twice only
>
> Hello everybody,
>
> I am looking for a way to accept traffic from clients only if they were
> seen at least twice. This shall be part of a firewall concept which
> protects the target from random floods where source IPs are usually only
> seen once since they are random.
> I cannot use the --state ESTABLISHED here because this requires a
> complete handshake (for TCP). I'm okay with the first packet not
> matching this rule as long as the 2nd one does. I'm looking forward to
> reading your ideas!
>
>
> Best,
> Jeff
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
prev parent reply other threads:[~2015-08-26 12:51 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-26 12:21 Accept clients that were seen at least twice only Jeff
2015-08-26 12:46 ` André Paulsberg-Csibi
2015-08-26 12:51 ` Jeff [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55DDB666.60709@gmx.net \
--to=jeff.meyers@gmx.net \
--cc=Andre.Paulsberg-Csibi@evry.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).