On 19/05/06 07:51, Leendert Meyer wrote:
On Friday 19 May 2006 15:13, Darryl Gregorash wrote:
<snip> I couldn't find "TARPIT" in man iptables.
leen@ws-03:/home/leen> man iptables | grep -n TARPIT Reformatting iptables(8), please wait... 1695: iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
Which version are you running? I have SuSE 9.3 with iptables 1.3.1-3. Or is there an updated manpage in the tarpit module source?
It's probably not something you'd want to use with SuSEfirewall anyway, because that requires the conntrack module,
Requires? Hmm, really? (I know about the warnings, i.e. you should avoid using conntrack with tarpit, because /then/ tarpit will use resources; without conntrack it doesn't.)
a massive waste of resources. from the manpage:
NOTE: If you use the conntrack module while you are using TARPIT, you should also use the NOTRACK target, or the kernel will unnecessarily allocate resources for each TARPITted connection. To TARPIT incoming connections to the standard IRC port while using conntrack, you could: iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK iptables -A INPUT -p tcp --dport 6667 -j TARPIT
This is the ticket. Looks like netfilter.org needs to update a webpage or two though :-) -- without the conntrack module, iptables is just another stateless firewall, an improvement over ipchains (and a quantum leap over ipfwadm) but not much else. The conntrack modules (there is also conntrack_ftp) turn iptables into a very nice stateful firewall, something I for one would be very reluctant to give up just to simplify
Yes, requires -- there is "-m state --state <blah>" all over the place, which requires conntrack. the problem of catching hack0rz and other sorts of slime.
Too bad it's not in the kernel.
So a few thousand emails to Linus should take care of that :-)