[Firehol-support] Re: ipt_recent support?

Chris AtLee catlee at sidefx.com
Mon Mar 14 14:00:51 GMT 2005


On Mon, 2005-14-03 at 16:46 +1100, Daniel Pittman wrote:
> On 14 Mar 2005, Chris AtLee wrote:
> > I just saw a blog post talking about the ipt_recent module:
> > http://blog.andrew.net.au/2005/02/17#ipt_recent_and_ssh_attacks
> >
> > Would it make sense to add support for this to firehol?
> 
> I have been intending to implement this for a few days now, since I
> needed to deploy something to limit service-denying attacks against
> client machines of mine, and ipt_recent was suitable.
> 
> I would be interested to know what, if any, thoughts others have on a
> way to express the use of ipt_recent matches in firehol.
> 
> I am currently working out my preferred syntax, and intend to post
> something in the near future -- if not beaten to it.
> 
>           Daniel

My initial thoughts were to simply create some global variables to set
how long IP addresses remained in the recent tables.  ipt_recent's
author's website suggests adding IPs to the recent table whenever you
DROP a packet:
> It is the author's intent that all 'DROP' rules be replaced by:
> '-m recent --set -j DROP'
> and that a:
> '-m recent --update --seconds 60 -j DROP'
> rule be added very early on in the rule set [...]
(http://snowman.net/projects/ipt_recent/)

I believe this has the effect of whenever a packet is dropped, any other
packets from that host will be dropped over the next 60 seconds, and if
a packet is received before the 60 seconds has elapsed, the timer is
reset to 0.

The only problems I see with using global settings is that it doesn't
give you control on a per interface / per service basis, and if you're
got one person behind a NAT who is misbehaving, everybody else behind
the same NAT will be denied access temporarily.

Cheers,
Chris





More information about the Firehol-support mailing list