dns tunnels a threat?

nextime at nexlab.it nextime at nexlab.it
Fri Sep 7 13:37:53 UTC 2007


> The rate limiting is pretty easy to do with iptables for all users. This
> kind of stuff is well suited for the ip-up/down and connection-up/down
> scripts.

Generally speacking i agree with you. I'm only concerned with the 
connection tracking issue, but this maybe need to be tested before to
say anything.

I don't really know how a connection rate limited by default that is in
the conntrack table react when you remove the rate limit rule. Is the
change immediatly applied or you need to wait for the conntrack timeout
to expire?

If the second option is the right one, using iptables can be a problem
on old kernels like < 2.6.10 where you can't
maipulate the connection tracking table dinamically
with the "conntrack" command, so, maybe hw like wrt54gl where you can't
use (yet) a 2.6 kernel because of the broadcom wifi driver can do it
with iptables.

This is basically why i was start to use my udp relayer instead of doing
the work by DNATting the packets with iptables.
-- 

Franco (nextime) Lanza
Busto Arsizio - Italy
SIP://casa@casa.nexlab.it

NO TCPA: http://www.no1984.org
you can download my public key at:
http://danex.nexlab.it/nextime.asc || Key Servers
Key ID = D6132D50
Key fingerprint = 66ED 5211 9D59 DA53 1DF7  4189 DFED F580 D613 2D50
-----------------------------------
echo 16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D212153574F444E49572045535520454D20454B414D204F54204847554F4E452059415020544F4E4E4143205345544147204C4C4942snlbxq | dc
-----------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.coova.org/pipermail/chilli/attachments/20070907/271d7e0e/attachment.pgp>


More information about the Chilli mailing list