lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: angray at (Aaron Gray)
Subject: Stateful Packet Inspection

>   A better search would be 
> since yours hits on the patch for IPSEC that allows filtering on Security 
> Parameter Index (SPI).
>   The original message has some merit with respect to netfilter - the 
> Linux kernel firewall is capable of looking at headers only.  This does 
> allow some stateful packet inspection - one can discriminate against 
> incoming connection attempts with --syn, for instance.  This isn't really 
> stateful, however, since the firewall does not retain any knowledge of the 
> state of a connection.  iptables is pretty much useless agains covert 
> channels such as Loki, Q, or any of the various tunneling packages.
>   The problem with stateful inspection is that it so easily leads to 
> self-denial of service.  An attacker need only make enough legitimate 
> connections to overflow the firewall's capability.  At that point, the 
> firewall either crashes or quits stateful inspection.

Or causes DoS'ing. If storage was FILO rather than FIFO. Chucking away the 
oldest states first, then presumably you just get general DoS'ing effect. 
DoS'ing begets DoS'ing.

>  Perhaps Mr. Gray should consider how to add true stateful packet 
> inspection to the iptables software and contribute that patch back to the 
> community?

Already done :-

Not my contribution, I am more interested in creating a good free open 
source SPI presonal firewall for Windows.


Powered by blists - more mailing lists