From: Mark Frey <markfrey@sympatico.ca>
To: Sudheimer <sudix@f3g.de>
Cc: linux-diald@vger.kernel.org
Subject: Re: How to ignore incoming packets
Date: Thu, 28 Aug 2003 19:47:43 -0400 [thread overview]
Message-ID: <3F4E949F.1020701@sympatico.ca> (raw)
In-Reply-To: <3F4DE6C1.7050304@sympatico.ca>
Hi Joachim,
I've created a new template rule file here and it seems to be working
well :-)
All the rules match only on my own dynamic source address, thus ignoring
*anything* coming in. If I don't originate packets the link will not be
kept up. This assumes the firewall drops everything not associated with
an allowed connection and does not generate reject packets.
I might have to add some specific rules if I need for example incoming
udp streaming media to keep the link up if the protocol does not
generate periodic outgoing packets back to the server...
Here's the bare-bones template file:
# Rule for while offline, proxy address:
accept any 120 ip.saddr=192.168.0.1
# Rules for when we're online:
# Keep up for 29 minutes after last web access
accept tcp 1740 ip.saddr=192.168.255.255,tcp.dest=tcp.http
accept tcp 1740 ip.saddr=192.168.255.255,tcp.dest=tcp.https
# Keep link up for a while after popping mail
accept tcp 900 ip.saddr=192.168.255.255,tcp.dest=tcp.pop3
# Once the link is no longer live, we try to shut down the connection
# quickly. Note that if the link is already down, a state change
# will not bring it back up.
keepup tcp 30 ip.saddr=192.168.255.255,!tcp.live
# 2 minutes for anything else we originate
accept any 120 ip.saddr=192.168.255.255
---------
And, the commands to put in the ip-up script (your file and fifo
locations may vary):
# adjust filters for our current ip address:
cat /usr/lib/diald/our.filter.template | sed s/192.168.255.255/$3/g
>/usr/lib/diald/our.filter
echo reset > /etc/diald/diald.ctl
Mark.
Mark Frey wrote:
> Hi Joachim,
>
> Thank you for pointing out the reset command!
>
> Diald passes your ip address to the ip-up script, if defined. You could
> make a template rule file with a unique pattern everywhere you want your
> own ip address to be, with lines something like this:
>
> ignore tcp ip.daddr=192.168.255.255,tcp.dest=tcp.telnet
>
> Then in the ip-up script ($3 contains the new local IP address):
>
> cat template_file | sed s/192.168.255.255/$3/g >diald_rule_file
> echo reset >/var/run/diald.fifo
>
> I'll see if I can find time to try this out here.
>
> Mark.
>
>
next prev parent reply other threads:[~2003-08-28 23:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-08-27 14:19 How to ignore incoming packets Sudheimer
2003-08-27 21:36 ` Mark Frey
2003-08-28 8:19 ` Sudheimer
2003-08-28 11:25 ` Mark Frey
2003-08-28 23:47 ` Mark Frey [this message]
2003-08-29 16:34 ` sudix
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3F4E949F.1020701@sympatico.ca \
--to=markfrey@sympatico.ca \
--cc=linux-diald@vger.kernel.org \
--cc=sudix@f3g.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).