Accept clients that were seen at least twice only

Accept clients that were seen at least twice only

[Jeff]

Hello everybody,

I am looking for a way to accept traffic from clients only if they were 
seen at least twice. This shall be part of a firewall concept which 
protects the target from random floods where source IPs are usually only 
seen once since they are random.
I cannot use the --state ESTABLISHED here because this requires a 
complete handshake (for TCP). I'm okay with the first packet not 
matching this rule as long as the 2nd one does. I'm looking forward to 
reading your ideas!


Best,
Jeff

RE: Accept clients that were seen at least twice only

[André Paulsberg-Csibi]

One short question , do you mean clients that send you 2 or more SYN packets in the same session ?

Or just send ANY 2 packets in the same "session" , or even "worse" 2 times whatever the packet type ?


Best regards
André Paulsberg-Csibi
Senior Network Engineer 
Fault Handling
EVRY Nordic Operations AS
andre.paulsberg-csibi@evry.com
M +47 9070 5988




-----Original Message-----
From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Jeff
Sent: 26. august 2015 14:22
To: netfilter@vger.kernel.org
Subject: Accept clients that were seen at least twice only

Hello everybody,

I am looking for a way to accept traffic from clients only if they were 
seen at least twice. This shall be part of a firewall concept which 
protects the target from random floods where source IPs are usually only 
seen once since they are random.
I cannot use the --state ESTABLISHED here because this requires a 
complete handshake (for TCP). I'm okay with the first packet not 
matching this rule as long as the 2nd one does. I'm looking forward to 
reading your ideas!


Best,
Jeff
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Accept clients that were seen at least twice only

[Jeff]

Could be 2x SYN or 2x UDP or 2x ICMP. Any of that kind shall allow the 
2nd packet to pass since I can - at least for now - assume, that this is 
not a random flood with spoofed IPs. Of course only within a certain 
time frame like 10-30 seconds and not infinite.


Best,
Jeff

Am 26.08.2015 um 14:46 schrieb André Paulsberg-Csibi:
> One short question , do you mean clients that send you 2 or more SYN packets in the same session ?
>
> Or just send ANY 2 packets in the same "session" , or even "worse" 2 times whatever the packet type ?
>
>
> Best regards
> André Paulsberg-Csibi
> Senior Network Engineer
> Fault Handling
> EVRY Nordic Operations AS
> andre.paulsberg-csibi@evry.com
> M +47 9070 5988
>
>
>
>
> -----Original Message-----
> From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Jeff
> Sent: 26. august 2015 14:22
> To: netfilter@vger.kernel.org
> Subject: Accept clients that were seen at least twice only
>
> Hello everybody,
>
> I am looking for a way to accept traffic from clients only if they were
> seen at least twice. This shall be part of a firewall concept which
> protects the target from random floods where source IPs are usually only
> seen once since they are random.
> I cannot use the --state ESTABLISHED here because this requires a
> complete handshake (for TCP). I'm okay with the first packet not
> matching this rule as long as the 2nd one does. I'm looking forward to
> reading your ideas!
>
>
> Best,
> Jeff
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html