-m limit --limit ... On Tue, Jul 22, 2003 at 07:54:55PM -0700, Tim Burress wrote: > Hello! > > We kind of an interesting problem and I was wondering > if people have any suggestions. Imagine a network like > this: > > X----------F---------Z > > where F is a Linux box acting as a firewall to protect > the Z network. F runs > > kernel 2.4.21-pre5 > iptables 1.2.7a > patch-o-matic 20030112 > > The problem arises like this: > > X attempts to initiate a UDP exchange with Z, but Z > responds to the initial packet with an ICMP port > unreachable. That's fine, but once this happens, it > seems that Z (or some other node on Z's network) is > then able to repeatedly replay this same ICMP port > unreachable back to X. > > So the question is, what's the best way to prevent > that at F? > > One idea was that conntrack could destroy the > conntrack record for the UDP "connection" upon receipt > of the port unreachable. Another, much larger scope > solution would be to implement some sort of > generalized replay protection that would attempt to > identify and DROP replayed packets. The first seems > nice and simple, but we're worried about unintended > consequences. The second seems interesting, but could > get a little involved. I wondered if people had any > thoughts or suggestions for other ways to deal with > this. > > Thanks! > > Tim > > __________________________________ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site design software > http://sitebuilder.yahoo.com
