[Server-devel] server ecurity
Jerry Vonau
jvonau at shaw.ca
Tue Sep 22 12:22:47 EDT 2009
On Tue, 2009-09-22 at 12:05 +0200, Martin Langhoff wrote:
> 2009/9/21 Jerry Vonau <jvonau at shaw.ca>:
> > Your proxy is slow to re-load the iptables rule-set? How many lines?
>
> No no. You got a mixup there :-). Adding/removing rules from iptables
> is fast -- we can create a new chain and add rules, flush it, etc. So
> we can manipulate rules there "hot".
>
> For the proxy, we are using Squid. If the solution we build depends on
> adding/removing rules from Squid, and that happens to need a squid
> restart, we will be in a world of pain. So we either avoid this, or
> switch http proxy.
OK, that clearer :-)
> > I was thinking of something like NoCat: http://nocat.net/ but without
> > the splash-screen, we can just use the backend from NoCat
>
> I thought nocat was playing tricks with dhcp? DWill have to re-review it.
>
No dhcp tricks, using iptables's packet marking, you tag the traffic
from the mac address/ip combo, directing the packet flow in to some new
tables where the rules are predefined.
> I am currently on holidys - so my replies will lag a bit...
>
Have fun, we all need a break,
Jerry
More information about the Server-devel
mailing list