| |
| |
| |
|
Comments:
<0> yo.
<0> anybody here worked in the need to block all outbound except mail/web/vpn areas before?
<0> meh.. egress filtering is a pain
<1> gug
<2> hardwire: yes
<2> its not to hard ...
<2> just need to use --sport / --dport 1025-65535 and maybee even use a transparent proxy server (squid)
<3> hi
<4> question, mac address support is compiled in but iptables still gives me an "unknown arg --mac-address" error, idea anyone?
<5> ouah, I've just discovered that : http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/libnetfilter_cthelper/
<6> :)
<1> yeah, the kernel side code is interesting as well
<1> unfortunately I somehow deleted the git tree I had it in
<1> and I'm unable to fetch it from Harald's repository, it seems broken
<1> people.netfilter.org has git v0.99.9 :)
<5> I'm desperate about the lack of release of userspace code
<5> Ii'm writing an article on them
<5> for a french mag
<5> "well use svn : there is no stable release"
<5> quiet sad
<7> what's that for?
<5> I think it is to write helper in userspace
<5> great idea
<7> ah, ok
<7> does it use nfqueue?
<1> yes
<7> ip_conntrack_mms.c:/* FIXME: This should be in userspace. Later. */
<7> this is a comment from the helper source
<1> Octavian: that's present in a couple of helpers (ftp, irc)
<1> Octavian: so that FIXME was probably added by Rusty quite a few years ago :)
<7> yes, i was sure i have seen that before :)
<7> Hidden: i think for performance reasons you can do that "only" with protocols which have a dedicated control connection, like ftp or mms have
<1> probably yes, otherwise you'd be forced to process each and every packet in userspace
<1> but in fact SIP is also similar, and a userspace SIP helper would make a lot of sense
<7> skype may be ok too, i think they have a tcp control connection too
<1> ok, it seems that Harald's repository is unusable because some git objects miss the appropriate permission bits...
<1> Octavian: but Skype is a fully closed protocol, isn't it?
<5> Hidden: no it opens everything ;-)
<1> Regit: sure, I've seen a lengthy presentation about Skype vs. your network :)
<7> hidden: there is a paper flowing around, the authors describe how to use part of the header data
<7> actually, the sun came out some this afternoon :)
<1> I've read these slides: http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf
<1> Octavian: that's nice to head, as I'll be visiting Germany between 13.06-18.06
<1> s/head/hear/
<7> are you on a conference?
<1> no, I'll be visiting a friend living in Muenchen
<7> that's the paper I read
<1> :)
<8> Regit: which french mag, dude ? :p
<5> sam_mdv: LMF
<5> :-p
<5> I'm sure you've guess
<8> hehe :)
<8> Hidden: the paper about skype is interesting.
<0> hard__ware: poke
<9> Hello, I would like to create a rule using iptables excluding one source ip... is this possible? Let me explain further..
<9> Im trying to activate the transparent proxy using iptables... but i would like to activate it for everyone but one IP address...
<9> $IPT -t nat -I PREROUTING -i eth1 -p tcp --dport 80 --source !172.16.0.169 -j REDIRECT --to-port 3128
<10> $IPT -t nat -I PREROUTING -i eth1 -p tcp --dport 80 ! -s 172.16.0.169 -j REDIRECT --to-ports 3128
<9> ok, thanks jengelh, let me try that... thanks!!!
<1> gug
<9> thanks jengelh, it worked perfectly...
<7> gug
Return to
#netfilter
or
Go to some related
logs:
ERROR 1044 (42000): Access denied for user ''@'localhost' to database 'syslog'
#math
xampp perl Can't locate
#perl
#math
#css
kaudiocreator speed cdparanoia settings
C_REATiVE_
#perl
install phpmyadmin to unbuntu
|
|