Have an option to set an in and/or out filter for a user's connection which
specifies things which will NOT reset the idle timer, such as:
1 permit 0.0.0.0/0 0.0.0.0/0 icmp
2 permit 0.0.0.0/0 0.0.0.0/0 tcp dst eq 110
So neither icmp nor POP3 will reset the idle timer, also have an option in
the filters (such as a special keyword) which you could put in which ComOS
would replace with the user's current ip. This would also allow you to
setup filters which prevent users from ip spoofing:
1 permit <user's ip> 0.0.0.0/0
2 permit 0.0.0.0/0 <user's ip>
then deny everything else..
On Tue, Jan 20, 1998 at 11:08:58PM -0800, Stefan Hudson wrote:
> On Tue, Jan 20, 1998 at 09:44:18AM -0600, Mia's Virtual Post Office wrote:
> > The ComOS needs to have something written into it that detects pings that
> > come in regular intervals and pops people out the moment it detects it.
> > Then we can tell people when they sign up that pinging the connection is
> > illegal and if they do it they will be popped out.
>
> Unfortunately, this is simply not practical. There are so many possible
> ways of defeating an idle timer that it is not effectively possible to
> detect all of them. For any possible algorithm that could be used detect
> "idle" ports, there is a way to deliberately defeat it. It would be
> far too complicated a system to implement in a terminal server.
>
> I have considered setting up a machine running tcpdump, and writing some
> software to try to detect "keepalive" connections based on that output
> and other things like mail server logs, but it would be hard to write,
> very CPU intensive, and it still would be trivial to defeat it
> deliberately.
-- - Steve - Systems Manager - Community Internet Access, Inc. - Gallup and Grants, New Mexico - To unsubscribe, email 'majordomo@livingston.com' with 'unsubscribe portmaster-users' in the body of the message.