[175025] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post
RE: netfilter/iptables synproxy; need help deciding

daemon@ATHENA.MIT.EDU (Thijs Stuurman)
Wed Oct 8 11:28:02 2014

X-Original-To: nanog@nanog.org
From: Thijs Stuurman <Thijs.Stuurman@is.nl>
To: Nanog <nanog@nanog.org>
Date: Wed, 8 Oct 2014 15:21:33 +0000
In-Reply-To: <543554AB.30700@gmail.com>
Errors-To: nanog-bounces@nanog.org

VHJ5IHRoZSBleGFtcGxlcyBnaXZlbiBoZXJlOiBodHRwczovL3IwMHQtc2VydmljZXMubmV0L2tu
b3dsZWRnZWJhc2UvMTQvSG9tZW1hZGUtRERvUy1Qcm90ZWN0aW9uLVVzaW5nLUlQVGFibGVzLVNZ
TlBST1hZLmh0bWwNCg0KWW91ciBsaW5lIG1ha2Ugbm8gc2Vuc2UgdG8gbWU6DQoNCiIiIg0KLUEg
UFJFUk9VVElORyAtZCAxNzIuMTYuMjAuOTgvMzIgLXAgdGNwIC1tIHRjcCAtLXRjcC1mbGFncyBG
SU4sU1lOLFJTVCxBQ0sgU1lOIC1qIENUIC0tbm90cmFjayANCiIiIiANCg0KVGhlIGZpcnN0IGVu
dHJ5IHNob3VsZCByZWdpc3RlciBpdCBpbiB0aGUgcmF3IHRhYmxlIGFuZCB0aGlzIGlzIGZvciBT
WU4gb25seSwgUlNULCBBQ0sgZXRjJyAgc2hvdWxkIGJlIGhhbmRsZWQgYnkgYW4gSU5WQUxJRCBm
aWx0ZXIgdG9nZXRoZXIgd2l0aCAic3lzY3RsIC13IG5ldC9uZXRmaWx0ZXIvbmZfY29ubnRyYWNr
X3RjcF9sb29zZT0wIi4NCg0KU28gb25seSBmb3IgdGhlIFNZTiBwYWNrZXRzIHlvdSBjb25maWd1
cmUgdGhlIFNZTlBST1hZIGFzIHN1Y2g6DQoNCmlwdGFibGVzIC10IHJhdyAtSSBQUkVST1VUSU5H
IC1wIHRjcCAtbSB0Y3AgLS1zeW4gLWogQ1QgLS1ub3RyYWNrDQppcHRhYmxlcyAtSSBJTlBVVCAt
cCB0Y3AgLW0gdGNwIC1tIHN0YXRlIC0tc3RhdGUgSU5WQUxJRCxVTlRSQUNLRUQgLWogU1lOUFJP
WFkgLS1zYWNrLXBlcm0gLS10aW1lc3RhbXAgLS13c2NhbGUgNyAtLW1zcyAxNDYwDQoNCkluIG15
IGNhc2UgSSBiZWxpZXZlIEkgYWRqdXN0ZWQgdGhlIElOUFVUIG9uIHRoZSBzZWNvbmQgbGluZSB0
byBGT1JXQVJEIGFzIG15IGJveCBmdW5jdGlvbnMgYXMgYSBicmlkZ2UuIEknbGwgY2hlY2sgYW5k
IG1haWwgeW91IHdoZW4gSSBnZXQgaG9tZS4NCg0KDQpLaW5kIHJlZ2FyZHMgLyBWcmllbmRlbGlq
a2UgZ3JvZXQsDQpJUyBHcm91cA0KVGhpanMgU3R1dXJtYW4NCg0KDQoNClBvd2VyZWQgYnkgcmVz
dWx0cy4NCg0KV2llbGluZ2Vuc3RyYWF0IDggfCBUICszMSAoMCkyOTkgNDc2IDE4NQ0KMTQ0MSBa
UiBQdXJtZXJlbmQgfCBGICszMSAoMCkyOTkgNDc2IDI4OA0KaHR0cDovL3d3dy5pcy5ubCB8IEt2
SyBIb29ybiAzNjA0OTI1Ng0KDQpJUyBHcm91cCBpcyBJU08gOTAwMToyMDA4LCBJU08vSUVDIDI3
MDAxOjIwMDUsDQpJU08gMjAuMDAwLTE6MjAwNSwgSVNBRSAzNDAyIGVuIFBDSSBEU1MgY2VydGlm
aWVkLg0KDQotLS0tLU9vcnNwcm9ua2VsaWprIGJlcmljaHQtLS0tLQ0KVmFuOiBQYWlnZSBUaG9t
cHNvbiBbbWFpbHRvOnBhaWdlYWRlbGVAZ21haWwuY29tXSANClZlcnpvbmRlbjogV2VkbmVzZGF5
LCBPY3RvYmVyIDgsIDIwMTQgNToxNCBQTQ0KQWFuOiBUaGlqcyBTdHV1cm1hbjsgTmFub2cNCk9u
ZGVyd2VycDogUmU6IG5ldGZpbHRlci9pcHRhYmxlcyBzeW5wcm94eTsgbmVlZCBoZWxwIGRlY2lk
aW5nDQoNCk9uIDEwLzA4LzE0IDE4OjA2LCBUaGlqcyBTdHV1cm1hbiB3cm90ZToNCj4gSSBzZXQg
dXAgYSBicmlkZ2UgYXQgaG9tZSB0byBmaWx0ZXIgdHJhZmZpYyB1c2luZyBpcHRhYmxlcyB3aXRo
IA0KPiBzeW5wcm94eS4gSSB0cmllZCB0byBhZGp1c3QgdGhlIGxpbmVzIHNvIHRoYXQgaXQgd291
bGQgbG9nIGhpdHMgYnV0IHRoYXQgd291bGRuJ3Qgd29yayBJdCBnYXZlIG1lIGEgbWVzc2FnZSB0
byByZWFkIGRtZXNnIHdoeSBpdCBkaWRuJ3Qgd29yayBidXQgZG1lc2cgaGFkIG5vIGluZm9ybWF0
aW9uIGluIGl0Lg0KPiBIb3dldmVyLCB3aGVuIEkgdHVybmVkIG9uIHRoZSBsaW5lcyBpbiBteSBp
cHRhYmxlcyBjb25maWd1cmF0aW9uIGZpbGUgDQo+IChiYXNoIHNjcmlwdCB0byBsb2FkIGluIHRo
ZSBydWxlcyBiYXNpY2x5KSBpdCBkaWQgZmlsdGVyIG91dCBhIFNZTiANCj4gYXR0YWNrIGFuZCB0
aGUgb3V0cHV0IG9mICJjYXQgL3Byb2MvbmV0L3N0YXQvc3lucHJveHkiIHNob3dlZCB0aGUgDQo+
IHN5bl9yZWNlaXZlZCBnbyB1cC4gKHNlZSANCj4gaHR0cHM6Ly9yMDB0LXNlcnZpY2VzLm5ldC9r
bm93bGVkZ2ViYXNlLzE0L0hvbWVtYWRlLUREb1MtUHJvdGVjdGlvbi1Vcw0KPiBpbmctSVBUYWJs
ZXMtU1lOUFJPWFkuaHRtbCkNCj4NCj4gQSB0Y3BkdW1wIG9uIHRoZSBicmlkZ2UgY29uZmlybWVk
IHRoZSBwYWNrZXRzIGNvbWluZyBpbiBhbmQgb24gbXkgc2VydmVyIGJlaGluZCBpdCB0aGV5IGRp
ZG4ndCBzbyB0aGF0IHdvcmtlZCB3aGlsZSBJIHdvdWxkIHBlcmZlY3RseSBmaW5lIGFjY2VzcyB0
aGUgYXBhY2hlIHNlcnZpY2UuDQo+DQo+DQo+IEkgaGF2ZW4ndCBkb25lIGFueSBmdXJ0aGVyIHRl
c3RpbmcsIGp1c3QgZ290IHRoZSBzZXR1cCB0byB3b3JrIGxhdGUgbGFzdCBuaWdodC4NCj4NCj4N
Cj4gS2luZCByZWdhcmRzIC8gVnJpZW5kZWxpamtlIGdyb2V0LA0KPiBJUyBHcm91cA0KPiBUaGlq
cyBTdHV1cm1hbg0KPg0KPiBQb3dlcmVkIGJ5IHJlc3VsdHMuDQo+DQo+IFdpZWxpbmdlbnN0cmFh
dCA4IHwgVCArMzEgKDApMjk5IDQ3NiAxODUNCj4gMTQ0MSBaUiBQdXJtZXJlbmQgfCBGICszMSAo
MCkyOTkgNDc2IDI4OCBodHRwOi8vd3d3LmlzLm5sIHwgS3ZLIEhvb3JuIA0KPiAzNjA0OTI1Ng0K
Pg0KPiBJUyBHcm91cCBpcyBJU08gOTAwMToyMDA4LCBJU08vSUVDIDI3MDAxOjIwMDUsIElTTyAy
MC4wMDAtMToyMDA1LCBJU0FFIA0KPiAzNDAyIGVuIFBDSSBEU1MgY2VydGlmaWVkLg0KPg0KPiAt
LS0tLU9vcnNwcm9ua2VsaWprIGJlcmljaHQtLS0tLQ0KPiBWYW46IE5BTk9HIFttYWlsdG86bmFu
b2ctYm91bmNlc0BuYW5vZy5vcmddIE5hbWVucyBQYWlnZSBUaG9tcHNvbg0KPiBWZXJ6b25kZW46
IFdlZG5lc2RheSwgT2N0b2JlciA4LCAyMDE0IDQ6NTEgUE0NCj4gQWFuOiBOYW5vZw0KPiBPbmRl
cndlcnA6IG5ldGZpbHRlci9pcHRhYmxlcyBzeW5wcm94eTsgbmVlZCBoZWxwIGRlY2lkaW5nDQo+
DQo+IEhpLA0KPg0KPiBJIGd1ZXNzIHN5bmNvb2tpZXMgd2Fzbid0IGVub3VnaCBhbmQgdGhlIFNZ
TlBST1hZIHRhcmdldCBpcyBhIHJlbGF0aXZlbHkgbmV3IGFkZGl0aW9uIHRvIG5ldGZpbHRlci4g
SWYgSSByZW1lbWJlciBjb3JyZWN0bHkgdGhpcyBoYXMgYmVlbiBhIHBhcnQgb2YgQlNEIFBGIGZv
ciBxdWl0ZSBzb21lIHRpbWUgYW5kIGlzIHByZXR0eSBlYXN5IHRvIGdldCB1cCBhbmQgd29ya2lu
Zy4NCj4gSSByZWNlbnRseSB0cmllZCB0byBzZXQgdGhpcyB1cCBvbiBvbmUgb2YgbXkgZ2F0ZXdh
eXMgY29uc2lkZXJpbmcgdGhhdCBpdCdzIGp1c3Qgb25lIGxlc3MgdW5jb3ZlcmVkIG1lYW5zIGZv
ciBzb21lYm9keSB0byBiZSBhIGRpY2sgdGhhdCBJIGhhdmUgdG8gZGVhbCB3aXRoIGluIHRoZSBm
dXR1cmUuIEJ1dCwgYWZ0ZXIgc3BlbmRpbmcgc29tZSB0aW1lIHJlc2VhcmNoaW5nIGFuZCBhc2tp
bmcgb24gRnJlZW5vZGUgSSBoYXZlIGJlZW4gdW5hYmxlIHRvIGRldGVybWluZSB3aGV0aGVyIG9y
IG5vdCBpdCB3b3Jrcywgb3IgZXZlbiBtYWtlcyBhbnkgc2Vuc2UuIEknbSBzdGFydGluZyB0byB0
aGluayBpdCdzIGEgbW9vdCBwb2ludC4NCj4gcGFzdGllLm9yZy9wcml2YXRlL2dqc3lweGtwanM4
a3VldjB0bGJ4cncjMjIgKGlwdGFibGVzIHJ1bGVzLCBwbGVudHkgDQo+IG9mIHRoaW5ncyB0byBw
aWNrIGF0IGJ1dCBwbGVhc2UgdHJ5IHRvIGZvY3VzIG9uIHRoZSBzdWJqZWN0IG9mIA0KPiBzeW5w
cm94eSBmb3IgdGhlIHB1cnBvc2Ugb2YgdGhpcyBlLW1haWwuKQ0KPg0KPiBiYXNlZCBvbiB0aGUg
Zm9sbG93aW5nIHRhYmxlIEkgd2FudCB0byBzYXkgaXRzIG5vdCB3b3JraW5nIGJlY2F1c2UgaXQg
c2VlbXMgdG8gbmV2ZXIgY2hhbmdlOg0KPiBodHRwOi8vcGFzdGllLm9yZy9wcml2YXRlL3h3Y3Q1
b3BiYjBhYWpja28ydG5wdw0KPg0KPiBtb3JlIGluZm8gb24gDQo+IC9wcm9jL3N0YXQvc3lucHJv
eHk6aHR0cDovL3d3dy5zcGluaWNzLm5ldC9saXN0cy9uZXRkZXYvbXNnMjY0MzUwLmh0bWwNCj4N
Cj4gTXkgb25seSBndWVzcyBpcyB0aGF0IHlvdSBjYW4ndCBkbyB0aGlzIGF0IGFsbCB3aXRoIE5B
VCBiZWNhdXNlIGl0IHJlbGllcyBvbiBjb25udHJhY2sgb3IgbWF5YmUgaXQgd2lsbCBvbmx5IHdv
cmsgd2l0aCBTTkFUPyBJIGRvbid0IHVuZGVyc3RhbmQgdGhpcyB3ZWxsIGVub3VnaCB0byBzYXk7
IGFyZSBwcm9wZXIgZmlyZXdhbGwgcnVsZXMgcmVhbGx5IGEgc2NpZW5jZSB0aGF0IG5lZWQgdG8g
YmUgdW5kZXJzdG9vZCB0aGF0IGZhciBpbiBkZXB0aD8gV2h5IGlzIHRoaXMgbm90IGRvY3VtZW50
ZWQ/IFRoaXMgdHV0b3JpYWwgc2VlbXMgdG8gaW5kaWNhdGUgdGhhdCB5b3UgY291bGQgdXNlIHRo
aXMgd2l0aCBhIE5BVCdkIG5ldHdvcms6DQo+IGh0dHA6Ly93d3cuYWNhZGVtaWEuZWR1LzY3NzM5
ODkvSG9tZW1hZGVfRERvU19Qcm90ZWN0aW9uX1VzaW5nX0lQVGFibGUNCj4gc19TWU5QUk9YWQ0K
Pg0KPiBJIHJlYWxseSB3b3VsZCBsaWtlIHRvIGNvbWUgdG8gc29tZSBjbG9zdXJlIG9uIHRoaXMg
c3ViamVjdC4gV2hldGhlciANCj4gaXQgbmVlZHMgdG8gYmUgZG9uZSByaWdodCBvciBub3QgZG9u
ZSBhdCBhbGwsIEknbSB0aXJlZCBvZiBpdCBsb29taW5nIA0KPiBvdmVyIG1lLiBJIHJlYWxseSB3
YW50IHRvIGJlbGlldmUgSSBzaG91bGQgZG8gdGhlIHZlcnkgYmVzdCB0byBoYXZlIA0KPiBhbGwg
bWl0aWdhdGlvbiB0ZWNobmlxdWVzIGFscmVhZHkgaW4gcGxhY2UsIGJ1dCBJJ20gaGF2aW5nIGEg
aGFyZCB0aW1lIA0KPiB1bmRlcnN0YW5kaW5nIHdoeSB0aGlzIGlzIG5leHQgdG8gaW1wb3NzaWJs
ZSB0byBmaWd1cmUgb3V0IGlmIGl0J3Mgc28gDQo+IGltcG9ydGFudC4gI25ldGZpbHRlciBvbiBm
cmVlbm9kZSBpcyBuZXh0IHRvIG5vIGhlbHAsIHRoZSBtYWlsaW5nIGxpc3QgDQo+IHNlZW1zIHRv
IGJlIHVuYXZhaWxhYmxlLi4uLiB0aGUgdGhpbmdzIHBlb3BsZSBhcmUgc2F5aW5nIGFib3V0IGhv
dyBJIA0KPiBzaG91bGQgImp1c3Qgc3dpdGNoIiBiYWNrIHRvIHVzaW5nIHBmIHNlZW0gbGlrZSBh
IGRyYXN0aWMgc29sdXRpb24gDQo+IHdoZW4gcGVvcGxlIGluICNuZXRmaWx0ZXIgYXJlIHNvIGNv
bnRlbnQgKHlldCBtYW55IG9mIHRoZW0gaGF2ZSBuZXZlciANCj4gaGVhcmQgb2Ygc3lucHJveHkg
YmVmb3JlLikNCj4NCj4NCj4gQW55IHRob3VnaHRzIG9uIHRoaXMgYXJlIGFwcHJlY2lhdGVkLA0K
Pg0KPiAtUGFpZ2UNCg0KWWVhaCwgSSBoYXZlIG5vIHdheSB0byB0ZXN0IGZvciBzdXJlIGJ1dCBJ
IGNhbiB0ZWxsIHlvdSB0aGlzIHdoaWNoIEkgZm9yZ290IHRvIG1lbnRpb246DQoNCkFsbCBvZiBt
eSBzZXJ2aWNlcyBzdGlsbCB3b3JrIHdpdGggdGhlc2UgcnVsZXMgLUEgUFJFUk9VVElORyAtZCAx
NzIuMTYuMjAuOTgvMzIgLXAgdGNwIC1tIHRjcCAtLXRjcC1mbGFncyBGSU4sU1lOLFJTVCxBQ0sg
U1lOIC1qIENUIC0tbm90cmFjayAtQSBQUkVST1VUSU5HIC1kIDE3Mi4xNi40MC45OC8zMiAtcCB0
Y3AgLW0gdGNwIC0tdGNwLWZsYWdzIEZJTixTWU4sUlNULEFDSyBTWU4gLWogQ1QgLS1ub3RyYWNr
IC1BIFBSRVJPVVRJTkcgLWQgMTcyLjE2LjgwLjk4LzMyIC1wIHRjcCAtbSB0Y3AgLS10Y3AtZmxh
Z3MgRklOLFNZTixSU1QsQUNLIFNZTiAtaiBDVCAtLW5vdHJhY2sNCg0KTm9uZSBvZiBteSBzZXJ2
aWNlcyB3b3JrZWQgd2l0aCB0aGlzIHJ1bGU6DQotQSBQUkVST1VUSU5HIC1wIHRjcCAtbSB0Y3Ag
LS10Y3AtZmxhZ3MgRklOLFNZTixSU1QsQUNLIFNZTiAtaiBDVCAtLW5vdHJhY2sNCg0KSSBzb3J0
IG9mIGdldCBpdCwgYnV0IEkgdG90YWxseSBkb24ndCBnZXQgaXQuIEknbSBub3Qgc3VyZSB3aGF0
IHRyYWZmaWMgdGhhdCBzZWNvbmQgcnVsZSBpcyBtYXRjaGluZyAob3IgaWYgdGhlIC1kIGV2ZW4g
d29ya3MgaW4gdGhlIHJhdyB0YWJsZSBtYXliZSB0aGF0cyBidW5rIHRvby4pIEkgZG9uJ3QgdGhp
bmsgdGhlIGZpcnN0IHNldCBhcmUgd29ya2luZywgYnV0IEkgaGF2ZSBubyB3YXkgdG8gdGVzdCBp
dCBlaXRoZXIuIA0KDQo=

home	help	back	first	fref	pref	prev	next	nref	lref	last	post
[175025] in North American Network Operators' Group

RE: netfilter/iptables synproxy; need help deciding

daemon@ATHENA.MIT.EDU (Thijs Stuurman)Wed Oct 8 11:28:02 2014

daemon@ATHENA.MIT.EDU (Thijs Stuurman)
Wed Oct 8 11:28:02 2014
