On April 18, 2004 06:47 pm, udo wrote: > Hello, > > >> Now I also want to use the tarpit feature for ports > >> 1023. Who can help me here? > > > > Maybe you can do something with the mport patch : > > http://www.netfilter.org/patch-o-matic/pom- > > base.html#pom-base-mport > > The issue is more in this direction: > For unpriviliged ports I need to find out if a > connection is related or not. > Do I need conntrack for that? Or > If a connection is not wanted I could make it > UNTRACKED and move it to the TARPIT target. > > I may be missing something here, of course. Short Answer "Yes" Long Answer: I suspect that what you are missing is that a default rule at the top of each chain that ACCEPTS all "RELATED,ESTABLISHED" connections will take *all* related or established packets out of the chain. Soo.. if you are pumping things off to be TARPITTED, you need to make sure that the rules for TARPIT are *after* all the ACCEPT packets, including ACCEPT of NEW connections that you want to let in. -- I'd suggest looking into the psd module, although this is a project I've yet to engage in, it was my thought that if you used the psd module, and then passed packets that fit it to a separate chain, you could TARPIT them there, thus managing to minimize the use of resources on your box, whilst frustrating the scanner/skiddiot/twit on the other end. However, I've yet to attack that one, and when I do -- I will DEFINATELY post the concept in words we can all use. Alistair Tonner. > > Kind regards, > Udo > > > > > > __________________________________ > Do you Yahoo!? > Yahoo! Photos: High-quality 4x6 digital prints for 25¢ > http://photos.yahoo.com/ph/print_splash
