https://qa.mandrakesoft.com/show_bug.cgi?id=721
------- Additional Comments From [EMAIL PROTECTED] 2002-12-30 21:55 ------- Created an attachment (id=79) --> (https://qa.mandrakesoft.com/attachment.cgi?id=79&action=view) recent patch for netfilter in kernel-2.4.20-2mdk ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. ------- Reminder: ------- assigned_to: [EMAIL PROTECTED] description: I have made and tested some netfilter patches for the Mandrake 2.4.20-2mdk src.rpm. They offer extra functionality for packet filtering. I have tested them and they work fine for me. I couldn't test the pptp modules, because I don't have a pptp server or client in use. What I could gather from the netfilter mailinglists was that it isn't fully functional yet. There are some patches floating around which should make it more functional, but I didn't want to use that, I wanted to stick with released software first. If there are people trying it out on Cooker, maybe they can provide testing and information. The patches are made in serial. I read the docs in the src.rpm for updating patches. I followed this policy somewhat. If something is wrong with the way the patches were made, then please tell me. I assume you want to generate the .config files yourself, so I didn' bother to upload those. I'll try to add these patches to the bugzilla entry: DN04_iplimit.patch: You can limit the number of connections at the network level. Some servers have support for this feature built in, but most servers haven't. Having this functionality at the network level will make it available to all tcp/ip services. DN05_nth.patch: You can make a rule for every n'th connection. For example, have the first of 2 new connections go to a first webserver, and the second new connection to a second webserver. This provides simple loadbalancing. DN06_psd.patch: It does portscan detection. I just tested with a simple tcp/ip portscan (nmap -v "ipadress"). I do not know if it detects other sorts of portscans. DN07_time.patch: You can disable or enable connections based on time. For example deny your kids computer to use the internet after 22.00 in the evening. DN08_recent.patch: It registers, and checks or updates recent connections through a /proc entry. This one is really usefull in combination with the psd module, you can block a portscanners ipadress for an hour, or as long as you wish. This is essentially an alternative for portsentry. DN09_string.patch: With this module you can "grep" through certain packets looking for a certain string. DN10_pptp_conntrack.patch: This provides conntrack and nat modules to allow pptp traffic through a firewall. iptables.sh: a test script I used for testing purposes.
