David Stes wrote:
Greetings,
I read about the *ippool* feature where the examples show how ippools can
be defined as groups of ip addresses.
Is it possible to use ippools for other objects as well ?
Like sets (pools) of tcp port numbers, for example.
If this is possible, is it please possible to give an example ?
It would be nice if a pool could be defined for example,
pool ports = { telnet, ftp, rexec, www }
so to speak and then in the /etc/ipf.conf file it could be possible to
accept traffic (or block traffic) to that pool of "ports", instead of
enumerating the ports in the ipf.conf file, it could just refer to the pool.
I am also thinking specifically of my application of RPC filtering.
I am trying to setup RPC call/response filtering, and I was thinking that
it could be nice to use the IPFILTER ippool feature to define pools of RPC
program numbers.
For example, for NetWorker, I could define the pool as the union of
portmapper and 390100:390120
This is a pool of 1 rpc program number (100000, portmapper) + a set of about
20 other rpc program numbers.
Is this possible , does it make sense to try to extend the ippool feature
for tcp / udp or rpc ports and not use pools only for ip addresses ?
Interesting idea!
I can't see why it shouldn't be extended like this...
I think the thing to do would be to define a new backend for ip_lookup.c
that
managed a collection of port numbers (plus maybe protocol?).
If you limit it to doing exact port number matches and given that the
port number
space is much smaller, what I think would be interesting to try is to
build a backend
that tried to maintain a perfect hash table, so that both postive and
negative lookups
are O(1).
Darren
