Full Disclosure mailing list archives
Re: Stateful Packet Inspection
From: "Aaron Gray" <angray () beeb net>
Date: Sun, 1 Aug 2004 19:14:43 +0100
A better search would be http://www.google.com/search?q=iptables+State+Packet+Inspection&sourceid=mozilla-search&start=0&start=0,since yours hits on the patch for IPSEC that allows filtering on Security Parameter Index (SPI).The original message has some merit with respect to netfilter - the Linux kernel firewall is capable of looking at headers only. This does allow some stateful packet inspection - one can discriminate against incoming connection attempts with --syn, for instance. This isn't really stateful, however, since the firewall does not retain any knowledge of the state of a connection. iptables is pretty much useless agains covert channels such as Loki, Q, or any of the various tunneling packages.The problem with stateful inspection is that it so easily leads to self-denial of service. An attacker need only make enough legitimate connections to overflow the firewall's capability. At that point, the firewall either crashes or quits stateful inspection.
Or causes DoS'ing. If storage was FILO rather than FIFO. Chucking away the oldest states first, then presumably you just get general DoS'ing effect. DoS'ing begets DoS'ing.
Perhaps Mr. Gray should consider how to add true stateful packet inspection to the iptables software and contribute that patch back to the community?
Already done :- http://www.netfilter.org/Not my contribution, I am more interested in creating a good free open source SPI presonal firewall for Windows.
Aaron _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Stateful Packet Inspection Goetz Von Berlichingen (Aug 01)
- Re: Stateful Packet Inspection Aaron Gray (Aug 01)
- Re: Stateful Packet Inspection Shashank Rai (Aug 01)
- Re: Stateful Packet Inspection Michael Gale (Aug 03)
- Re: Stateful Packet Inspection whiplash (Aug 03)