> > Somebody suggested that I should only "open" the interface on UDP (DNS) and
> > TCP SYN. Anybody know if this is right, and if so, how do I set up the
> > _correct_ rules? Examples are more than welcome... (the interface is ippp0).
>
> Sounds right, if you have dynamic adresses, but I don't
[clip]
> With ipfwadm you can get the best of both worlds. In
> ip-down you set the old IP to reject, which kills any
> sockets that try to transmit while the interface is
> down. Then in ip-up you clear any reject rule on the new
> address and convert the reject rule on the old address to a
> deny rule. You have to do this because otherwise the reject
> packets go out (keeping up the link) instead of back to
> the source (because you don't have the IP any more that
> they are sent to). Shortly after, you get a retransmit,
> and the RST-provoker changes the address and you get
> a RST which kills the socket. You need to time out old
> deny rules after a few hours to avoid them building up
> and damaging performance.
>
> I regard that solution as too complex to be practical.
Well, it doesn't sound impossible, and it looks like the only practical
solution so far. But what if you get the same ip several times after each
other. Wouldn't the deny rules then block that route? At least, to me it
looks that way.
-- Robin
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Robin Smidsrød | Privat: 33329383 | Web: http://www.smidsrod.no
Ekelyvn. 11 | Mobil : 91593393 | E-Mail: robin@smidsrod.no
N-3150 TOLVSRØD | Jobb : 33301440 | Fax: 33324622 UIN: 1682773
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu