Denis Ducamp wrote:
>
>Actually only the 3 way hand shake verify IP sequence numbers in netfilter
>to avoid misc problems generated by syn flooding. In fact, very few filters
>are statefull (verify IP sequence numbers) because this is expansive and
>doesn't have a lot of advantages compares to actual netfilter.
>
True. Actually Checkpoint Firewall-1 for instance doesn't do this either.
It also lets packets with just an ACK bit set through and creates a state
entry when the rulebase allows it. Check Lance Spitzner's paper
"understanding the state table of firewall-1" on
this subject at http://www.enteract.com/~lspitz/pubs.html
Regards,
Filip
Title: RE: Netfilter State table questions
- Netfilter State table questions Williamson, Fionn
- Re: Netfilter State table questions Raymond Leach
- Re: Netfilter State table questions Antony Stone
- Re: Netfilter State table questions Oskar Andreasson
- Re: Netfilter State table questions Denis Ducamp
- RE: Netfilter State table questions Sneppe Filip
- Re: Netfilter State table questions Sneppe Filip
- Re: Netfilter State table questions Phil Dibowitz
