Re: Stateful Packet Inspection

[Michael Gale <michael.gale () bluesuperman com>]

Maybe you should take come computer courses and then read the docs again
.. because you have no clue what you are taking about.

Michael.


On Sun, 01 Aug 2004 10:19:38 -0600
Goetz Von Berlichingen <goetzvonberlichingen () comcast net> wrote:

> Ron DuFresne wrote:
> ..
> > Google search: IPtables SPI ;;
> >
> > http://www.google.com/search?q=IPtables+SPI&sourceid=mozilla-search&start=0&start=0
>
>    A better search would be 
> http://www.google.com/search?q=iptables+State+Packet+Inspection&sourceid=mozilla-search&start=0&start=0,
>
> since yours hits on the patch for IPSEC that allows filtering on 
> Security Parameter Index (SPI).
>
>    The original message has some merit with respect to netfilter - the
>    
> Linux kernel firewall is capable of looking at headers only.  This
> does allow some stateful packet inspection - one can discriminate
> against incoming connection attempts with --syn, for instance.  This
> isn't really stateful, however, since the firewall does not retain any
>
> knowledge of the state of a connection.  iptables is pretty much
> useless agains covert channels such as Loki, Q, or any of the various
> tunneling packages.
>
>    The problem with stateful inspection is that it so easily leads to 
> self-denial of service.  An attacker need only make enough legitimate 
> connections to overflow the firewall's capability.  At that point, the
>
> firewall either crashes or quits stateful inspection.  Perhaps Mr.
> Gray should consider how to add true stateful packet inspection to the
>
> iptables software and contribute that patch back to the community?
>
> Goetz
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html