Hi Patrick, On Tue, 21 Apr 2009, Patrick McHardy wrote: > Jozsef Kadlecsik wrote: > > > On Mon, 20 Apr 2009, Patrick McHardy wrote: > > > > > Jozsef Kadlecsik wrote: > > Oh, it's not for me at all: at a workshop I was asked how to log the info > > (hint: conflicker ;-) and embarrased enough I had to admit there was no easy > > way. That's why I put together the patch, with all it's questionable > > details. > > I can see that it has some informational value, but for things like > locating infected hosts, why not simply look at the traffic before > it is NATed? I currently can't come up with a real use case for > this ... The well-maintained sites manage to locate on-site infected machines by using IDS, traffic-analysis, etc. However the typical user case for small sites is that the ISP or other offsite host report an abuse: "your machine x.y.z.w attacked machine a.b.c.d/added to the RBL because of spamming/etc" - and the machine x.y.z.w is of course their firewall. And they have got nothing which could help them to pick the real machine from the NATed network behind the firewall. And the small sites is the main reason why I'd favor an "out of the box" solution, which does not rely on anything besides netfilter/iptables. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
