Goetz Von Berlichingen wrote:
The original message has some merit with respect to netfilter - the Linux kernel firewall is capable of looking at headers only.
Really funny. Try and explain, then, how Linux netfilter correctly recognizes, nats and keeps state of protocols like ftp, irc/dcc, h323, pptp and so on.
This does allow some stateful packet inspection - one can discriminate against incoming connection attempts with --syn, for instance.
Do you have any idea of what stateful means?
This isn't really stateful, however, since the firewall does not retain any knowledge of the state of a connection.
Yeah, of course. I suppose that
#lsmod | grep track ip_conntrack_ftp 5216 1 [ip_nat_ftp] ip_conntrack_irc 4256 1 [ip_nat_irc] ip_conntrack 41332 4 (autoclean) [ip_nat_ftp ip_conntrack_ftp ip_nat_irc ip_conntrack_irc ipt_MASQUERADE iptable_nat ipt_state]
is just the output of some allucination of mine. <g>
iptables is pretty much useless agains covert channels such as Loki, Q, or any of the various tunneling packages.
A good advice for you, absolutely for free: shutdown -h now (do you know what it means, at least? <g>)
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
