From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dave.taht@gmail.com>
Received: from mail-ig0-x22e.google.com (mail-ig0-x22e.google.com
	[IPv6:2607:f8b0:4001:c05::22e])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(Client CN "smtp.gmail.com",
	Issuer "Google Internet Authority G2" (verified OK))
	by huchra.bufferbloat.net (Postfix) with ESMTPS id D42DA21F18A;
	Tue, 28 Jan 2014 10:32:14 -0800 (PST)
Received: by mail-ig0-f174.google.com with SMTP id hl1so12844115igb.1
	for <multiple recipients>; Tue, 28 Jan 2014 10:32:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:date:message-id:subject:from:to:content-type
	:content-transfer-encoding;
	bh=t+a3rPYCqUu4dYY+Pda49qC5gMrUNjVlPIax1DXUL+Q=;
	b=A/gFjg0LcA7MJgUM/wU4fb4JM4KkUcNQbfH2Mq11Cf4JapikHyyqIc3598fqS1/IpQ
	s5qczUCdeEb9rjgcxRw9228zsjNczq3c+oIoxE/FTj/v4T+iTY3Y+Fr3fZtlS8cKMQLI
	dDD6AvFX1bT8tyyeB8avmDn6jfyO4l5MxHG7NwOYtEVXdz+5pMU2+Be8Wxm/23PWXcPF
	h3Iz4BYifAqpEKm86NA8nX+BHb+R6nBi1kBA9wX7UPHG4QMEQpZkRm7+fZTzdAefm/DK
	Cop1pBq4L1th97Opm7h4HxT1jj86U8I6QG+EkFn+jv1F0JQ+pkC4m27erdD6R4avekL0
	hyBg==
MIME-Version: 1.0
X-Received: by 10.50.36.67 with SMTP id o3mr4088626igj.47.1390933934135; Tue,
	28 Jan 2014 10:32:14 -0800 (PST)
Received: by 10.64.145.67 with HTTP; Tue, 28 Jan 2014 10:32:13 -0800 (PST)
Date: Tue, 28 Jan 2014 13:32:13 -0500
Message-ID: <CAA93jw7Ee_3-NwP5xmD0RHY_WzK4yY_guwpSV7Z_1=2uAanuAg@mail.gmail.com>
From: Dave Taht <dave.taht@gmail.com>
To: "cerowrt-devel@lists.bufferbloat.net"
	<cerowrt-devel@lists.bufferbloat.net>, 
	bloat-devel <bloat-devel@lists.bufferbloat.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: [Cerowrt-devel] improving xinetd in the ipv6 age,
	and interfacing with iptables/ipsets
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2014 18:32:15 -0000

as mentioned on this list a while back, it seems plausible to
protect a router and network a little better with network sensors,
and honeypot technologies, and still do so in a lightweight fashion.

And it seemed easy to make xinetd do just a little bit more
to share information about its problems with ipset and iptables.

I haven't had time to work on this. I got as far as adding parser support
to xinetd for a new "deny_server" argument and there it sat, waiting
for me to decode the internal list of dependencies required to fork a serve=
r,
and push info about the connection into env or the command line.

So I just pushed up what little I got up to github and perhaps some
other security minded individual will take the idea on. There's
a README and a notes.org added with where things are.

https://github.com/dtaht/xinetd-deny

If there is something better than xinetd (of near equivalent "weight")
for this sort of stuff, let me know.

but I'm back now to a different salt mine...






--=20
Dave T=E4ht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.=
html