Hi Patrick, On Thu, 23 Apr 2009, Patrick McHardy wrote: > > Hmm, if there are multiple clients connecting to the same external node (or > > even just a few ones but the exact time is not definite due to the unsynced > > clocks) then the hunted client does not stand out. But it might indicate > > multiple infected machines as well... > > Yes, you'd need at least destination port numbers to reduce false > positives. But the same is also true if you do log the NATed address. > For the small-site case you describe, the external address is usually > know anyways since there is only a single one :) > > Just to be clear about this, I don't generally object to this, > but before making this (quite undesirable IMO) change, I'd like > to be sure that it actually provides a tantamount benefit. > Please feel free to tell me that I'm missing the point :) Because there's other solutions to log the data (ulogd2, conntrack) and because the patch is suboptimal, let's forget about it. Maybe we'll be able to figure out a better way in nftables. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
