[Flow-tools] Re: flow-capture filter
Karen Durinyan
karen.durinyan at gmail.com
Mon Jan 21 08:30:27 EST 2008
Hmmm, You are not wrong, it seems You are totally right.
At least I can not see x.x.x.38 in flow after changing OR to AND
during last 10 mins.
Thanks a lot.
--
Bests,
Karen
Joe Loiacono wrote:
>
> flow-tools-bounces at list.splintered.net wrote on 01/21/2008 05:31:07 AM:
>
> > Hi Everybody,
> >
> > Sorry if the question is repleted but really I need a help, thanks.
> >
> > Problem is that I want to filter traffic from and to some host.
> >
> > The filter configuration is looking like:
> >
> > cat /etc/flow-tools/cfg/filter.cfg
> >
> > filter-primitive myhost
> > type ip-address
> > deny x.x.x.38
> > default permit
> >
> > filter-definition drop_myhost
> > match ip-source-address myhost
> > or
> > match ip-destination-address myhost
>
> I think you want an *AND*. The above filter will pass a flow if either
> condition is true. In each of the cases listed below, the second match
> (ip-destination-address) is met successfully. If you AND them, then it
> will permit only those flows where both cases are true - i.e., only
> those flows where x.x.x.38 does not appear as source or destination.
>
> I could be wrong :-)
>
> Joe
More information about the Flow-tools
mailing list