Some protocols do know when packets should no longer be sent on associated "connections". Take RTSP or SIP for example -- a UDP connection is created and destroyed via the control channel. The conntrack helper could remove the UDP connection when the appropriate message is seen (TEARDOWN or BYE). Is there a way to do this? On Fri, Dec 26, 2003 at 01:41:29PM -0800, Mark E. Donaldson wrote: > Netfilter/IPTables works at layers three & four of the OSI model - not at > layer seven. So, if I understand your question correctly, the answer would > be NO, because it knows nothing about what is happening above layer four. > However, if you have an application that is programmed to always use the > same use the same source & destination ports for it's socket channels, then > this could be defined as such within an iptables rule as an application an > handled accordingly. It would not be able to distinguish them from similar > crafted packets though. Having said that, the "limit match is available to > handle packet "flooding" as you describe it here. Basically, you have > entered the realm of what an IDS/IPS, such as Snort, do best. A Snort > preprocessor could well handle this activity. > > -----Original Message----- > From: netfilter-admin@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Eddahbi Karim > Sent: Friday, December 26, 2003 10:39 AM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: RE: How iptables know when an UDP connection is closed ? > > Le jeu 25/12/2003 à 20:27, Mark E. Donaldson a écrit : > > Correct. The UDP state machine is based on "timers". > > Ok, so I've another question. > Can Iptables make a difference between packets of the real application and a > packet generator ? > > For example : > > X communicates with Y with the application Mooh-1.0 which sends UDP packets > via the port 789 and receives packets from the port 987. > > Then Z sends UDP packets to X with a packet generator. The UDP packets > sended have the same dport and sport. > > Can Iptables make a difference between "Mooh-1.0" and the packet generator > to avoid flood ? > > -- > -- > Eddahbi Karim > > Phone : > (33) (0)6 61 30 57 77 > > France > > > -- There are three principal ways to lose money: wine, women, and engineers. While the first two are more pleasant, the third is by far the more certain. -- Baron Rothschild, ca. 1800
Attachment:
pgp00711.pgp
Description: PGP signature
