Re: Stateful Packet Inspection

[whiplash <whiplash () despammed com>]

Goetz Von Berlichingen wrote:

>   The original message has some merit with respect to netfilter - the 
> Linux kernel firewall is capable of looking at headers only.

Really funny.
Try and explain, then, how Linux netfilter correctly recognizes, nats and keeps state
of protocols like ftp, irc/dcc, h323, pptp and so on.

> This does 
> allow some stateful packet inspection - one can discriminate against 
> incoming connection attempts with --syn, for instance.

Do you have any idea of what stateful means?

> This isn't 
> really stateful, however, since the firewall does not retain any 
> knowledge of the state of a connection.

Yeah, of course.
I suppose that

#lsmod | grep track
ip_conntrack_ftp        5216   1  [ip_nat_ftp]
ip_conntrack_irc        4256   1  [ip_nat_irc]
ip_conntrack           41332   4  (autoclean) [ip_nat_ftp ip_conntrack_ftp ip_nat_irc ip_conntrack_irc ipt_MASQUERADE 
iptable_nat ipt_state]

is just the output of some allucination of mine. <g>

> iptables is pretty much useless agains covert channels such as Loki, Q, or any of the various tunneling 
> packages.

A good advice for you, absolutely for free: shutdown -h now (do you know what it means, at least? <g>)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html