On Tue, 23 Sep 2003, Nik Trevallyn-Jones wrote: > As a result of experiences deploying PortSentry behind an ipchains > firewall recently, I started considering how iptables could be used to deploy > a dynamic firewall which would be able to modify itself in response to > predefined events. As far as I can see, such features would require extension > modules. Take a look at the ULOG target which will send a copy of the packet to a netlink socket. A listening daemon can then do wierd and wonderful modifications to the tables. There's the issue that the table changes wouldn't happen until the daemon got the CPU, so a few :-) milliseconds delay could be expected, but in the scenario you described, that would be tolerable. The less brains are in the kernel, the less things can go wrong and splatter. Hope this helps. James F. Carter Voice 310 825 2897 FAX 310 206 6673 UCLA-Mathnet; 6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555 Email: jimc@xxxxxxxxxxxxx http://www.math.ucla.edu/~jimc (q.v. for PGP key)
