Firewall tricks.

Rob Park rbpark at ualberta.ca
Thu Oct 9 14:33:46 PDT 2003


Gareth Westwood wrote:
> could you not use some sort of script so that when bittolerent starts, 
> iptables starts with iptables-bittol.conf and set that to accept. Then 
> when it stops re-do iptables to use iptables-nobt.conf and re-load. I am 
> kinda thinking like the ip-up and down scripts.

This is exactly the kind of junk that I'm trying to avoid :P

The main problem with doing a wrapper script is that bittorrent isn't a 
file searching & sharing protocol like gnutella; while gnutella will use 
one port for all your downloads, bittorrent uses one port for each 
torrent you have open. So every time I start BT, my script would need 
some logic to ACCEPT the ports that are open, and DROP the ports that 
are closed, for the port range of 6881-6889.

That's certainly possible, but it's an ugly hack. What I'd much rather 
do is have the firewall intelligently know when to ACCEPT or DROP the 
packets based on whether or not the port is open.

Another problem with the wrapper script is that I'd have to be root to 
run bittorrent, which would suck ass. :)

Now that I dropped out of university, I've got tons of time. I'm going 
to recompile my kernel with the grsecurity patches in the next few days, 
and see if I can't do what I want with that.




More information about the lfs-chat mailing list