Re: Filter by Packet's size

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



В Пнд, 18/02/2008 в 10:59 -0300, Michael Fernández M пишет:
> On Mon, 2008-02-18 at 15:36 +0200, Покотиленко Костик wrote:
> > В Пнд, 18/02/2008 в 09:25 -0300, Michael Fernández M пишет:
> > > Hi, 
> > > 
> > > Is there a way to filter a picket by the size of it?, i mean I Would
> > > like to filter all the packet hat it size 2 MB.
> > > 
> > > Is that possible?
> > > 
> > > Thanks to any answer.
> > 
> > iptables -m length --length 0:1024
> > 
> 
> > But let me admit that normal packet length is up to 1500 bytes, in some
> > cases up to 65535 bytes. Maybe you didn't correctly face the question?
> > 
> 
> Yea, i know... but the thing is:
> 
> I have a mail server (Postfix), and if I restrict the size of messages
> up to 2 MB.. then a user send an email (3 MB) and Postfix receive the
> message an then say: "You cannot send this message because of the
> size"... and send a notification to the user... so I want to stop the
> packets before them arrives to Postfix... and take off this load to the
> mail server...  

1. You are mixing up 2 things: size of email (~tcp tream size) and
packet size. When you send an email of 3Mb size the process that is
happening is: tcp connection is being established (by sendning some tcp
packets) and your message (protocol smtp) is being sent split by packets
(commonly) 1500 bytes long.

2. iptables deals on ip/tcp level and know nothing about high protocols
such as smtp. Exclusion is iptables' level7 filter, which is not really
good idea.

Finaly , the right place to solve this situation is really in your
smtp-server (postfix).

-- 
Покотиленко Костик <casper@xxxxxxxxxxxx>

-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux