On 11/29/07 3:55 AM, "Benny Amorsen" <benny+usenet@xxxxxxxxxx> wrote: >>>>>> "GT" == Grant Taylor <gtaylor@xxxxxxxxxxxxxxxxx> writes: > > GT> The preferred option would be to DNAT (redirect) the traffic to a > GT> mini web server that will serve up a generic web page indicating > GT> that the access has been blocked. > > The GET request only gets transmitted once the three-way TCP handshake > is done. By then it's way too late to DNAT anything -- the mini web > server wouldn't get a SYN, so it would throw away the packet. > > > /Benny > > > - > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html Thanks to all who responded to this...looks like I'll have to use a multi-layered approach. Thanks again, James - To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
