Hi! Maciej Soltysiak wrote: >>>I am working on a specialized Debian GNU/Linux operating system that >>>emphasizes security. Part of the project involves two patches for >>>iptables: IMQ[1] and GrSecurity's STEALTH[2] >>> >>> 1. http://luxik.cdi.cz/~patrick/imq/ >>> 2. http://www.grsecurity.net >>> >>>currently, I need to patch iptables to package it for Debian, it would >>>be nice if these patches would make it into upstream. >> > Hmm > GRsecurity includes an iptables module called STEALTH, i've never tested > it, and do not find it very important, as its functionality can be aquired > by wise usage of PSD tcp-flags and state matching. > > Do you find it really usefull (_and working_ as described) ?
I'm not using the Stealth-target, but from looking at the code it seems it just calls udp_v4_lookup/tcp_v4_lookup. I don't know if its safe to call them at that time, tcp makes some sanity checks before calling tcp_v4_lookup which are completly skipped. I don't see how the same functionality could be aquired with PSD, but it seems to me that the same functionality could be included in a superset of the owner module which would match sending socket properties like owner does but also of the receiving socket like socket exists, uid of receiver, ... This would be useful especially in combination with IMQ to limit incoming bandwidth of users/groups/... What do you/others think of that ? > I do not know what IMQ is, i will see. IMQ is a software network device which feeds itself packets through netfilter queueing mechanism to perform shaping over multiple devices / real ingress shaping. Bye, Patrick
