Re: help with setting up iptables for use with snort_inline (QUEUE target)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday 01 July 2004 17:09, Antony Stone wrote:

<snip>
> You might find the new "helper" match does what you need?   I'm not certain
> because I haven't played with it, but it seems like a likely bet...

You seem to be right!

I added this rule:
iptables -t mangle -A OUTPUT -m helper --helper "ftp" -j MARK --set-mark 0x1

and ftp now seems to work!

> By the way, why are you doing all this in the OUTPUT chain?

Just for testing. I'm particularly interested in using snort_inline to protect 
Internet Explorer. So i'm trying to QUEUE http, ftp etc, to snort_inline and 
try to visit sites with example exploits and see if snort_inline catches 
it... (i'm not running ie on my linux machine of course ;-)

> I'm not quite sure that I see the purpose of running snort-inline on a
> single machine.   A router for a network, yes, but why on a standalone
> system?

I agree, allthough it does work. The recent troubles with IE show that it cant 
hurt protecting a client against a webserver. And my system is a lot faster 
(2.2 ghz) than my firewall (200 mhz), so it makes _some_ sense!

Too bad the helper module is not in the stock Debian Stable kernel. It is in 
the 2.4.26 kernel at www.backports.org however, so i'm happy.

Thanx Antony!

Regards,
Victor

>
> Regards,
>
> Antony.


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux