[fw-wiz] Dynamic execution of a script on arrival of a packet

From: Alex Ongena (Alex.Ongena@able.be)
Date: 10/30/02

From: Alex Ongena <Alex.Ongena@able.be>
To: firewall <firewall-wizards@honor.icsalabs.com>
Date: Wed Oct 30 10:22:21 2002


I'am using Linux 2.4.19 and iptables.
I'am looking to make a thing like:
- by default, everything is denied in the Firewall.
- on arrival of a packet, a 'script' (ex. perl) is
  called that evaluates some packet details (like
  Source IP, Protocol, Port, date and time of
  arrival, etc..) and can decides to 'add an
  iptable rule on the fly' to accept this and
  future packets.
- another script can be runned by cron to remove
  iptable entries when applicable.

The advantage of this script could be that 'acceptance'
criteria can be determined more flexible
(for example, checking a database with the relation
IP <-> User at a certain moment in time)

I know that one has to prevent for DoD with Packet
Flooding, but that can be handled with the iptables
--limit extension.

Thanks for any help
PS: I'am new to this list, does there exist a searchable
archive ?