Bug 169104 - iptables TARPIT target incomplete support
Summary: iptables TARPIT target incomplete support
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 4
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-09-23 01:57 UTC by Mike Pope
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2005-09-23 19:53:38 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Mike Pope 2005-09-23 01:57:37 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4) KHTML/3.4.2 (like Gecko)

Description of problem:
iptables 1.3.0-2 supports/supplies the TARPIT target (ipt_TARPIT.so) but there  
is no corresponding .ko module in kernel-2.6.12-1.1447_FC4.  The TARPIT target 
is therefore unusable. 
 
I realize this may be intentional as TARPIT is fairly new, but it is the ideal 
treatment for the increasing number of ssh-port-scans I am seeing lately. 

Version-Release number of selected component (if applicable):
iptables-1.3.0-2
kernel-2.6.12-1.1447_FC4

How reproducible:
Always

Steps to Reproduce:
1. iptables <args> -j TARPIT 
 
   

Actual Results:  The error message is: 
 
iptables: No chain/target/match by that name  
  

Expected Results:  iptables -L -v should show the rule had been accepted  

Additional info:

While this is a request-for-enhancement, please bear in mind its security 
implications in assigning a priority for action.

Comment 1 Thomas Woerner 2005-09-23 11:44:39 UTC
iptables is the userland configuration tool.

Assigning to kernel.

Comment 2 Dave Jones 2005-09-23 19:53:38 UTC
This module isnt in the upstream kernel, and adding it to the Fedora kernel
isn't going to happen.

I'd suggest trying to get the netfilter folks to merge this upstream, and we'll
pick it up in an update.



Note You need to log in before you can comment on or make changes to this bug.