Hi there, i have some questions regarding CONNMARK and STRING modules for netfilter. I have a stateful firewall doing contraking, because i have two dsl connections doing load balancing. I have found a way to discriminate KaZaA traffic flowing via port 80 from normal HTTP traffic using the string match. I want to mark a kazaa connection and filter ir to a specific qdisc. I have been looking for info about CONNMARK, but i cant find any HOWTO to explain how it works. Anyone can help me out here? Thank you! _________________________________________________________________ Charla con tus amigos en línea mediante MSN Messenger: http://messenger.yupimsn.com/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Mon, 2003-06-16 at 15:56, GoMi . wrote:> Hi there, i have some questions regarding CONNMARK and STRING modules for > I have been looking for info about CONNMARK, but i cant find any HOWTO to > explain how it works. Anyone can help me out here?It''s in the FAQ from docum.org ;-) See at http://home.regit.org/connmark.html BR, -- Eric Leblond <eric@regit.org> Regit.org
I still dont get it..i think its like this, correct me if i am wrong: When a connection is new, a number is given to it and hence we know how to dnatet when the response comes. That mark has nocing to do with the mark given by the MARK value hence -j CONNMARK --save-mark will save that number, then i can mark the packet with MARK, and then i have to reset the connmark with --reset-mark is that right? What i want to do, is mark all kazaa connections since the begging with a mark 5 for example..but i am begging to get messed up :) _________________________________________________________________ Charla con tus amigos en línea mediante MSN Messenger: http://messenger.yupimsn.com/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
A question here, i am having problems shaping the acks, due to p2p programs, how can i do the --restore-mark on a full connection, including acks? i have really no idea how... _________________________________________________________________ Charla con tus amigos en línea mediante MSN Messenger: http://messenger.yupimsn.com/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/