On Tue, 4 Jun 2002, Balazs Scheidler wrote:
I'd like to make tproxies easier to administer, so I'm thinking about a
simple way of matching tproxied packets, which can be ACCEPTed from the
INPUT chain.
Possible solutions:
* use a new state (called TPROXY), which would be applied to all
Hi,
First of all, thanks for the feedback on my tproxy patches. It generally
works well for TCP based connections, what I'm up to now is proper support
for UDP.
The problem with datagram based protocols is that connection tracking (at
least in my case involving Zorp) and address translation is
On Wed, 5 Jun 2002, Balazs Scheidler wrote:
The only features for an UDP proxy is the following:
* being able to receive frames originally destined elsewhere (the REDIRECT
case)
* being able to receive frames from an arbitrary host, originally destined
to another arbitrary host (the
On Wed, Jun 05, 2002 at 11:48:49AM +0200, Jozsef Kadlecsik wrote:
On Wed, 5 Jun 2002, Balazs Scheidler wrote:
* yet another flag to ip_nat_setup_info() to set up a single manip only.
* free the state associated to UDP packets after the translation was applied.
* instead of setting up a NAT
On Wed, 5 Jun 2002, Balazs Scheidler wrote:
Let me think a bit about it. For UDP packets I don't really need
conntracking sessions, I only need to translate single packets, but I'd like
to avoid messing with IP and UDP header translation myself.
So NOTRACK is good for me, I don't need NONAT
On Wed, Jun 05, 2002 at 08:53:25AM +0200, Jozsef Kadlecsik wrote:
On Tue, 4 Jun 2002, Balazs Scheidler wrote:
Possible solutions:
* use a new state (called TPROXY), which would be applied to all TPROXYed
packets (might interact badly with nat/conntrack).
* have the tproxy framework
Hi!
I am using iptables 1.2.5 on SuSE 8.0 using the standard SuSE kernel
2.4.18-4GB, with some minor modifications (I increased the number of
maximum devices in net/core/dev.c, which is normally limited to 100). I
am accounting traffic using iptables [...] -n -v -x -Z. I am doing this
hourly.
From: Michel Banguerski [EMAIL PROTECTED]
I came across your posing on netfilter-dev
I must have missed it, but I assume the idea is that firewalls should
reply to syn's with cookies and forward the connection only when it
gets the ack.
I also have thought this would be a good idea.
On Tue, Jun 04, 2002 at 04:50:36PM +0200, Balazs Scheidler wrote:
Hi,
Suppose you have a TCP session, which is transparently redirected to a local
proxy. With the current state of the tproxy framework one need to add two
rules to iptables:
- one to the tproxy table to actually redirect a
On Wed, Jun 05, 2002 at 09:29:54PM +0200, Henrik Nordstrom wrote:
Torge Szczepanek wrote:
I am getting byte counters like this:
18446744073707058701
Very much looks like a negative number.. the above is the same as 64 bit
integer -2492915 printed as a unsigned value.
The byte
On Thu, Jun 06, 2002 at 04:53:02AM +0900, bob wrote:
HTML is not the right format for an email. emails are either plain 7 bit ascii
or mime encoded text.
--
Live long and prosper
- Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/
11 matches
Mail list logo