Petr, Here is one excellent example of why it is important to check sequence numbers: http://www.uniras.gov.uk/vuls/2004/236929/index.htm
For an excellent paper on TCP state checking, I like the following: http://home.iae.nl/users/guido/papers/tcp_filtering.ps.gz You might want to check out Daniel's PF Page (the lead developer of pf): http://www.benzedrine.cx/pf.html And of course the pf FAQ is one of the best Firewall FAQs on the 'Net: http://www.openbsd.org/faq/pf/index.html <> Jim > -----Original Message----- > Hi Gurus, > I had a disscusion with friend of mine who does use Linux ( and > therefore iptables ) for his firewall. I wonder, why is so > important for firewall to check for valid sequence number range > for whole life of connection ? As I do understand, iptables does > it only for handshake time and after connection enters ESTABLISHED > state it checks only for {source,destination} and {IP address, > port}. Pf on the other hand checks for valid sequence number all > the time. > If I send packet with invalid seq. number (with other atributes > valid) to host behind firewall and firewall don't check it ie. > let it through, destination host will drop it anyway doesn't it? > So in case of pf, pf will drop packet before it reach host, in > case of firewall that doesn't do check on seq. numbers, > destination host will drop it. Yes, nasty and not valid packets > will enter my network, taking resources from my server etc., but > is there anything else that I missed ? > > I red lots of papers about TCP hijacking, IP spoofing and packet > injection, but I still somehow do not understand, how seq. > number check on firewall in whole connection's lifetime could help. > I could imagine only one situation - sending RST with valid > addresses and ports could change state on the firewall but host > will drop it, so firewall will close the connection (after some time) > but it still will look like established on both hosts. > Could someone put more light on it ? > Thanks a lot >
