https://inliniac.net/blog/tag/connmark/ Recent content in Connmark on Inliniac Hugo en Mon, 12 Nov 2007 21:29:58 +0000 https://inliniac.net/blog/2007/11/12/multiple-snort_inline-processes-with-vuurmuur/ Mon, 12 Nov 2007 21:29:58 +0000 https://inliniac.net/blog/2007/11/12/multiple-snort_inline-processes-with-vuurmuur/ <p>One of the cool things of the <a href="http://snort-inline.sf.net/">Snort_inline</a> project is the support for NFQUEUE. NFQUEUE is the new queuing mechanism to push packets from the kernel to userspace so a userspace program can issue a verdict on it. What makes NFQUEUE cooler than it&rsquo;s predecessor ip_queue is that it supports multiple queue&rsquo;s. This means that there can be more than one Snort_inline process inspecting and judging traffic. The challenge is to make sure that each Snort_inline instance sees all traffic belonging to a certain connection so Snort_inline can do stateful inspection on it. Luckily, <a href="http://www.vuurmuur.org/">Vuurmuur</a> makes it very easy.</p> https://inliniac.net/blog/2007/05/22/vuurmuur-nfqueue-support/ Tue, 22 May 2007 13:21:23 +0000 https://inliniac.net/blog/2007/05/22/vuurmuur-nfqueue-support/ <p>Vuurmuur supported the QUEUE target for a while already, even though it needed a little bit of a hack to handle the <em>state</em>. This is because the iptables ruleset Vuurmuur creates is quite simple: after a few general protection rules it starts by accepting traffic with the state <em>established</em>. Since there is no way to say &lsquo;queue established traffic that was queued before&rsquo; in iptables I decided to use traffic marking to distinguish between traffic to be queued or accepted. But there was a problem with this approach. I didn&rsquo;t want to cripple the marking of traffic for other purposes, such as traffic shaping and routing, so I decided to use mark-ranges to either queue or accept:</p>