| |
| |
| |
|
Comments:
<0> was there ever a -m icmp6 in ip6tables? I appear to have one in my ip6tables -vL and ip6tables-save output; it generated an error until I symlinked libip6t_icmpv6.so to libip6t_icmp6.so
<1> hm
<1> ip6tables -p icmp or -p icmp6 does not do it?
<1> note that -p XXX implies -m XXX
<0> right, I'm talking about the output
<0> 0 0 ACCEPT ipv6-icmp any any anywhere anywhere UNKNOWN match `icmp6'
<0> that's the line from ip6tables -vL
<1> but you were able to add it!?
<0> somehow
<1> then it should be valid
<1> meaning, -L does not know a proper way to print it
<0> right, it's valid and looks fine after I symlinked the .so
<1> juse see if it matches packets
<1> eh of course
<1> the .so file registers exactly one string internally
<1> weird things can happen if you cross-symlink it
<1> btw, the proper thing is:
<1> -p icmpv6
<1> and libip6t_icmpv6.so
<0> not -p ipv6-icmp?
<1> although...
<1> you have to use -p icmp6
<1> er
<1> gnah
<1> weirdly broken.
<1> libip6t_icmpv6.c registers a match called "icmp6"
<1> but the library is libip6t_icmpv6.so
<1> that creates quite a problem
<1> i think you found a bug.
<0> yeah, think so
<1> call out
<1> Gandalf_ : There's a bug in libip6t_icmpv6.c
<1> try bugging Gandalf_ or LaF0rge when they wake up
<0> I was thinking of just putting it in bugzilla
<1> or write to netfilter-devel@ mailing list
<1> netfilter-devel@lists.netfilter.org
<0> ok
<2> gug
<3> gug
<4> gug
<5> hi, would anyone here by any chance have a patch to fix the nf-hipac patch for kernel 2.6.16 ?
<6> gug
<5> gugr
<3> just logged into a linuxrouter, 413 days uptime, kernel 2.4.17 and ip_conntrack , ip_conntrack_ftp
<3> It's amazing it's still alive
<5> Linux ***censored*** 2.0.40 #2 Mon Feb 9 09:29:01 MET 2004 i686 unknown
<5> only 331 days uptime though
<5> you win :)
<3> heh, and your kernel doesn't have a buggy ip_conntrack that among other things can cause memory corruption
<5> right
<7> Uptame eh.
<7> err
<7> Uptime
<7> I win.
<7> Closing in on 1200 days ;-)
<3> heh
<8> Im new to ip tables and have a compromized webserver that's sending out phishing emails from behind an iptables/netfilter firewall. while we cleanup/reinstall/rebuild I need to keep this webserver up but limit what mailservers it can connect to.
<8> what I'd like to do is: drop all connections to port 25 not destined to a few whitelisted mailervers
<8> how?
<8> fyi the fw box also impliments 1 to 1 nat.
<5> hi
<8> hello
<5> you want to accept connections to a few hosts and drop the rest
<8> actually this is an outbound problem
<8> network is as follows:
<5> something like this: iptables -A FORWARD -s $compromisedmachine -d $mailserver -p tcp --dport 25 -j ACCEPT
<5> for each mailserver
<5> iptables -A FORWARD -s $compromisedmachine -p tcp --dport 25 -j DROP
<5> to block the connections that go out
<8> the rules are processed in order, correct? so it will processes each rule until it matches then take that action?
<5> yes
<5> thats why you should accept the connections first, and then drop all the rest
<8> k, gotta now look for rules on these addys that may conflict
<8> wouldn't want to close the hole only to have it opened by an existing rule.
<5> I don't mean to lecture you, but the best way handle this would be to pull the plug on the existing server and replace it with a clean up-to-date server while you do a post-mortem
<5> just offering my unsolicited advice :)
<9> hello all
<9> i search a tool to do bandwitdh monitoring on a bridge with "per ip" statistics, is it possible ?
<8> xteven: I intend to replace the box and we tried that but it's been down to long due to the new hw failing on rebuild and I've had to temporarily put this box back in service to keep it's owner happy
<8> ultimately over the next day or 2 it will be rebuilt from scratch
<8> Thanks for the help with patching things
<5> DaFresh : checkout ipfm
<5> johngalt : np
<3> ipfm uses an sorted linked list for all the data which is bad if you have large subnets that you want to monitor and hih packetrates
<3> I have a patch that changes it into an array instead, reduced cpu usage from 78% to 3% on a machine at my old job
<5> interesting
<5> how much traffic did you push through it ?
<3> only about 30kpps
<3> and it was a /19 subnet
<1> hey Gandalf_
<3> so in average it searched through 4096 entries in order to find the correct
<3> and it did that 30.000 times per second
<3> jo jengelh
<5> did you submit your patch to the ipfm dev team ?
<3> yes but I never received an answer
<1> Gandalf_ : did you see the icmpv6 bug?
<3> jengelh: yes I saw it but I won't have time to do anything about it until maybe tonight (don't really have time for irc either :)
<1> Gandalf_ : just rename libip6t_icmpv6.c to libip6t_icmp6.c
<9> Xteven, ok, thx a lot
<5> hi again, what does this indicate: unable to find ladd slot in src /tmp/pom-28183/net/ipv4/netfilter/Makefile (./patchlets/connlimit/linux-2.6.11/./net/ipv4/netfilter/Makefile.ladd)
<5> ?
<10> pom-ng was unable to find the line after which the new part should be added
<10> ie. the patch does not apply cleanly to your kernel
<5> aha
<11> 'afternoon
<11> i was wonderinf if there were some technical documents on how much "load" netfilter could take.
<11> like the maximum number of packets per second it might be to process.
<11> or if I use it for session limitation, how many concurrent sessions it could handle.
<0> CodeWarrior: I think each connection takes about 400 bytes of memory, so it depends on how much RAM your firewall has
<11> danieldg: what about processing power? how effectively will this work on smp machines?
<11> danieldg: it might be helpful to know that I am not looking for a theoretical figure here. I was thinking about something solid (perhaps tested)
<0> I think it will use both processors, but I don't know the numbers for processing. Someone in here should, looks like they're asleep or something
<11> this is going to be an isp,
<11> with quite a lot of subscribers.
<11> so we're talking 10,000 clients, each with, say, 20 sessions.
<11> traffic shaping for all of that.
<11> etc.
<5> just so everyone knows: the ipp2p patch that appeared on the mailinglist today, doesn't work on the 20060326 snapshot :)
Return to
#netfilter
or
Go to some related
logs:
nf4 alsa microphone
file size limit exceeded unrar
Crypt_RSA slow
hellanzb ebuild
suse framebuffer 1680x1050
make-kpkg yaird mkinitrd
corrupt symc8xx.sys
#kde
Could not read output for /sbin/modprobe -v -n --show-depends --set-version yair
bind FORMERR resolving
|
|