Hi Gurus,
I had a disscusion with friend of mine who does use Linux ( and
therefore iptables ) for his firewall. I wonder, why is so
important for firewall to check for valid sequence number range
for whole life of connection ? As I do understand, iptables does
it only for handshake time and after connection enters ESTABLISHED
state it checks only for {source,destination} and {IP address,
port}. Pf on the other hand checks for valid sequence number all
the time.
If I send packet with invalid seq. number (with other atributes
valid) to host behind firewall and firewall don't check it ie.
let it through, destination host will drop it anyway doesn't it?
So in case of pf, pf will drop packet before it reach host, in
case of firewall that doesn't do check on seq. numbers,
destination host will drop it. Yes, nasty and not valid packets
will enter my network, taking resources from my server etc., but
is there anything else that I missed ?
I red lots of papers about TCP hijacking, IP spoofing and packet
injection, but I still somehow do not understand, how seq.
number check on firewall in whole connection's lifetime could help.
I could imagine only one situation - sending RST with valid
addresses and ports could change state on the firewall but host
will drop it, so firewall will close the connection (after some time)
but it still will look like established on both hosts.
Could someone put more light on it ?
Thanks a lot
Petr Ruzicka
