Could be 2x SYN or 2x UDP or 2x ICMP. Any of that kind shall allow the
2nd packet to pass since I can - at least for now - assume, that this is
not a random flood with spoofed IPs. Of course only within a certain
time frame like 10-30 seconds and not infinite.
Best,
Jeff
Am 26.08.2015 um 14:46 schrieb André Paulsberg-Csibi:
One short question , do you mean clients that send you 2 or more SYN packets in the same session ?
Or just send ANY 2 packets in the same "session" , or even "worse" 2 times whatever the packet type ?
Best regards
André Paulsberg-Csibi
Senior Network Engineer
Fault Handling
EVRY Nordic Operations AS
andre.paulsberg-csibi@xxxxxxxx
M +47 9070 5988
-----Original Message-----
From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of Jeff
Sent: 26. august 2015 14:22
To: netfilter@xxxxxxxxxxxxxxx
Subject: Accept clients that were seen at least twice only
Hello everybody,
I am looking for a way to accept traffic from clients only if they were
seen at least twice. This shall be part of a firewall concept which
protects the target from random floods where source IPs are usually only
seen once since they are random.
I cannot use the --state ESTABLISHED here because this requires a
complete handshake (for TCP). I'm okay with the first packet not
matching this rule as long as the 2nd one does. I'm looking forward to
reading your ideas!
Best,
Jeff
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
