Re: stateful inspection firewall
From: Daniel Hartmeier (daniel_at_benzedrine.cx)
Date: 10/27/03
- Next message: Greg Hennessy: "Re: stateful inspection firewall"
- Previous message: Cedric Blancher: "Re: stateful inspection firewall"
- In reply to: Dario: "stateful inspection firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 27 Oct 2003 16:31:48 GMT
On 27 Oct 2003 08:01:02 -0800, Dario wrote:
> Does anybody know if the IPTables firewalling subsystem is a real
> stateful inspection one, like OpenBSD Packet Filter or Cisco PIX, or
> it is just a connection tracking firewall which just checks for
> connection ports and IP addresses?
As far as I know, iptables does not keep track of TCP sequence number
windows. There's a patch you can install to add that, see
http://www.netfilter.org/documentation/pomlist/pom-extra.html#tcp-window-tracking
Read Guido's paper linked to from the bottom of that page for a
detailed explanation of the concept. I think it's pointless to
argue whether "stateful filtering" includes TCP sequence number
tracking by definition. You should rather ask whether you want
sequence number tracking or not. Do you expect an attacker to
successfully guess a connection's addresses and ports pairs, and
are your clients vulnerable to attacks that involve injecting
packets with invalid sequence numbers (like generating a malicious
ICMP redirect message)?
If recent distributions of netfilter include and enable that module
by default, please correct me. As long as it's an optional patch,
it's not clear how well it works and how it affects performance.
It might work flawlessly and introduce no overhead, and just nobody
cared enough to include it in the base code. You'll have to verify.
In pf, this is the core of the code, and nearly all users are using
it since several releases.
Daniel
- Next message: Greg Hennessy: "Re: stateful inspection firewall"
- Previous message: Cedric Blancher: "Re: stateful inspection firewall"
- In reply to: Dario: "stateful inspection firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
