also sprach Rene Mayrhofer <[EMAIL PROTECTED]> [2006.07.04.1013 +0200]: > That must be connection pickup. At > http://iptables-tutorial.frozentux.net/iptables-tutorial.html > search for "pickup".
Excellent pointer, and yet another reason why we should really be looking for alternatives to the Linux kernel. The default, without the tcp-window-tracking patch, is to have this behaviour, and is not changeable. So what's the point of iptables and statefulness in the end? It keeps track of connections and lets packets belonging to established connections passed, but if there's an ACK packet that doesn't belong anywhere, iptables is kind enough to invite it to the club? So then, if I run e.g. cups on 0.0.0.0 and used the firewall rules to make sure that no external clients can connect to it (say, because I was too lazy to modify cupsd.conf), an attacker just has to send an ACK packet to the socket, iptables will throw open the doors, and let the connection in? Reminds me of Microsoft Bob, which would, after three invalid password entries, ask you whether you wanted to change your password. Or is there some actual benefit I am overseeing? The FAQ does say it's "after a failover" only, but no mention over how long. So, NetBSD... one step closer... -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system "i never travel without my diary. one should always have something sensational to read on the train." -- oscar wilde
signature.asc
Description: Digital signature (GPG/PGP)