Hi Jozsef, Sorry for the late reply. I never suggested that this usage (see below) is only theoretical and I'm very sorry if it was misinterpreted as that.
My proposal was to create a way of doing more secure, and stateful, redundancy mechanism. For example, 2 or more firewalls which shares their conntrack tables via some userspace daemons. This would require the daemon to have read/write access to the conntrack tables via netlink however, and I am not fully aware of the possibilities of this. Once again, I am extremely sorry if you misinterpreted the whole mail as a suggestion that this is only theoretical. I know that you among others have told me and others that you've already implemented this in practice. Oskar Andreasson http://www.boingworld.com http://people.unix-fu.org/andreasson/ mailto: [EMAIL PROTECTED] ----- Original Message ----- From: "Jozsef Kadlecsik" <[EMAIL PROTECTED]> To: "Oskar Andreasson" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, June 07, 2002 2:27 PM Subject: Re: Security flaw in Stateful filtering ?????? > On Fri, 7 Jun 2002, Oskar Andreasson wrote: > > > Another, related, usage is > > if we have a redundant firewall (I haven't seen this discussed so far > > so.... Consider this: > > > > 1 main firewall > > 1 router > > and a secondary firewall. > > > > The three are set up in a routing zone. If the main firewall goes > > down, the router will notice, and route packets through the redundant > > firewall. If the NEW target was to allow only SYN packets, this would > > be impossible as you can understand from this. > > We have been using such a redundant setup for more than a year. > It's *not* theoretical. > > Regards, > Jozsef > - > E-mail : [EMAIL PROTECTED], [EMAIL PROTECTED] > WWW-Home: http://www.kfki.hu/~kadlec > Address : KFKI Research Institute for Particle and Nuclear Physics > H-1525 Budapest 114, POB. 49, Hungary > >
