You are right, maybe it was a bad analogy. i personally use -j
REJECT --reject-with tcp-reset .
In regard for a software with redirect, I Don't want a software and i don't
need to redirect a simple program i could make in perl. In regard to the
ddos attacks, if a 13 year old script kiddie wants he could attack my server
using a udp packet storm, from a few sub7server infected cable modems, and
thats that. No firewall is gonna stop it. If you think otherwise, just ask
steve gibson
http://grc.com/dos/grcdos.htm Anyway, i was asking this question for legitimate reasons (i think).
First, i want to appologize if i misled you.
My line of thinking was, if there was any module developed for iptables that
can be programmed to return a short message when opening a port (say 113).
for example, open port 113 -> "go away" -> close.
it is true that it could saturate the cpu, but so does other services. it is
just more straightforward and secure to put it as feature on the firewall.
besides, you could always do connection limit to stop the saturation.
iptables ip contracking and packet fragments reassembling is indeed a needed
feature, but iptables is vulnerable to cpu saturation because of it, so a
legit port with a short message is not a real problem :).
* - * - *
Tzahi Fadida
Tzahi@mailandnews.com
Fax (+1 Outside the US) 240-597-3213
* - * - * - * - * - *
-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org]On Behalf Of Radel
Sent: Sunday, August 05, 2001 9:44 AM
To: Patrick Schaaf; Pol Muaddib
Cc: netfilter@lists.samba.org
Subject: Re: gracefull rst.
----- Original Message -----
From: Patrick Schaaf <bof@bof.de>
To: Pol Muaddib <muaddib@mailandnews.com>
Cc: <netfilter@lists.samba.org>
Sent: Sunday, August 05, 2001 9:17 AM
Subject: Re: gracefull rst.
> > I wanted to ask if there is a way to leave a port open with iptables,
for
> > example port 113,and close the connection properly with ack/fin, etc..
after
> > the connection handshake is made? I don't want to rudely use RST.
>
> Have a user level process which does nothing but accept/close, and use
> REDIRECT to get the connections to that user level process.
>
> > It would be more polite to close the door
> > instead of shutting it in someones face.
>
> Bad analogy. DROP presents no door at all. REJECT presents a closed door.
> Your proposal opens the door, lets the person in one step, then shoves
> the person out again without saying a word. This is still a bad analogy,
> but it comes closer, I think.
>
> Apart from that, you now increased the complexity of the "go away" case,
> opening yourself wider against denial of service attacks of the resource
> capturing nature. Think hard about that.
I agree: opening a connection and closing it is an hard work:sending the fin
and waiting
for the acks will suck much unswappable kernel memory, which could be used
for real
incoming connections or other things.
Moreover you'll get no benefits:sending a RST will tear down the
establishing connection,
without harm the sender host!
In fact rfc says that an unwanted connection should be rejected using a RST,
not accepting and closing it (ie when noone is listening at that port).
Radel