Hello,
I get an increasing number of reports from people, who have to pay a lot
of money, because their linux router didn't close an open internet
connection. In many cases, those people
just had bad luck, and they received the (dynamic) ip adress of a former
edonkey participant (or any other p2p net). Because edonkey links live
quite long, even after somebody quit the net, clients still send their
requests to this adress.
One strategy to avoid this, is starting ppp with the following option:
active-filter filter-expression
Specifies a packet filter to be applied to data
packets to determine which packets are to be
regarded as link activity, and therefore reset the
idle timer, or cause the link to be brought up in
demand-dialling mode.
The filter-expression is specified in tcpdump syntax. This means it
works like a dumb packet filter. This has the drawback, that established
connections, that match, also do not get counted and might get
interrupted. And it still leaves the door open for a "Enforcement of
Service" attack -- i.e. somebody can keep my link open, by just sending
an unsolicited packet every now and then.
The better way to get hold of this, would be to use something like
iptables/netfilter rules and count only packets of "ESTABLISHED"
connections (or ignore state "NEW").
Is there a way to do this.
Is it perhaps possible to do something like this in iptables PREROUTING
chain? Perhaps mark the packtes as "to be counted" ?
thanks in advance, juergen
PS:
Please CC any answers to me, as I do not regularly read this list.
--
Juergen Schmidt Leitender Redakteur/senior editor c't magazin
Heise Zeitschriften Verlag, Helstorferstr. 7, D-30625 Hannover
Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail ju@ct.heise.de
