lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: goetzvonberlichingen at comcast.net (Goetz Von Berlichingen)
Subject: Stateful Packet Inspection

Ron DuFresne wrote:
..
> Google search: IPtables SPI ;;
> 
> http://www.google.com/search?q=IPtables+SPI&sourceid=mozilla-search&start=0&start=0

   A better search would be 
http://www.google.com/search?q=iptables+State+Packet+Inspection&sourceid=mozilla-search&start=0&start=0,

since yours hits on the patch for IPSEC that allows filtering on 
Security Parameter Index (SPI).

   The original message has some merit with respect to netfilter - the 
Linux kernel firewall is capable of looking at headers only.  This does 
allow some stateful packet inspection - one can discriminate against 
incoming connection attempts with --syn, for instance.  This isn't 
really stateful, however, since the firewall does not retain any 
knowledge of the state of a connection.  iptables is pretty much useless 
agains covert channels such as Loki, Q, or any of the various tunneling 
packages.

   The problem with stateful inspection is that it so easily leads to 
self-denial of service.  An attacker need only make enough legitimate 
connections to overflow the firewall's capability.  At that point, the 
firewall either crashes or quits stateful inspection.  Perhaps Mr. Gray 
should consider how to add true stateful packet inspection to the 
iptables software and contribute that patch back to the community?

Goetz




Powered by blists - more mailing lists