Hi Gurus, I had a disscusion with friend of mine who does use Linux ( and therefore iptables ) for his firewall. I wonder, why is so important for firewall to check for valid sequence number range for whole life of connection ? As I do understand, iptables does it only for handshake time and after connection enters ESTABLISHED state it checks only for {source,destination} and {IP address, port}. Pf on the other hand checks for valid sequence number all the time. If I send packet with invalid seq. number (with other atributes valid) to host behind firewall and firewall don't check it ie. let it through, destination host will drop it anyway doesn't it? So in case of pf, pf will drop packet before it reach host, in case of firewall that doesn't do check on seq. numbers, destination host will drop it. Yes, nasty and not valid packets will enter my network, taking resources from my server etc., but is there anything else that I missed ?
I red lots of papers about TCP hijacking, IP spoofing and packet injection, but I still somehow do not understand, how seq. number check on firewall in whole connection's lifetime could help. I could imagine only one situation - sending RST with valid addresses and ports could change state on the firewall but host will drop it, so firewall will close the connection (after some time) but it still will look like established on both hosts. Could someone put more light on it ? Thanks a lot Petr Ruzicka