BTW - You might be interested to know that tracking sequence numbers has
been deemed important in IPTables. The TCP Window Tracking patch checks
sequence numbers (as described in
http://home.iae.nl/users/guido/papers/tcp_filtering.ps.gz.ps.gz) and has
been submitted to be included in the mainline kernel for 2.6.9.
I have to say I was somewhat surprised, given all the praise I hear about
IPTables that many of the features I take for granted in pf are not in the
default Linux kernel or even available.
The OpenBSD and pf teams are not really given the credit they deserve. Even
CARP which was invented here is being used by the Netfilter team. Don't let
the seemingly simple interface of pf (at least compared to many other
firewalls) fool you, this "firewall" is profoundly powerful.
<> Jim
> -----Original Message-----
> Hi Gurus,
> I had a disscusion with friend of mine who does use Linux ( and
> therefore iptables ) for his firewall. I wonder, why is so
> important for firewall to check for valid sequence number range
> for whole life of connection ? As I do understand, iptables does
> it only for handshake time and after connection enters ESTABLISHED
> state it checks only for {source,destination} and {IP address,
> port}. Pf on the other hand checks for valid sequence number all
> the time.
> If I send packet with invalid seq. number (with other atributes
> valid) to host behind firewall and firewall don't check it ie.
> let it through, destination host will drop it anyway doesn't it?
> So in case of pf, pf will drop packet before it reach host, in
> case of firewall that doesn't do check on seq. numbers,
> destination host will drop it. Yes, nasty and not valid packets
> will enter my network, taking resources from my server etc., but
> is there anything else that I missed ?
>
> I red lots of papers about TCP hijacking, IP spoofing and packet
> injection, but I still somehow do not understand, how seq.
> number check on firewall in whole connection's lifetime could help.
> I could imagine only one situation - sending RST with valid
> addresses and ports could change state on the firewall but host
> will drop it, so firewall will close the connection (after some time)
> but it still will look like established on both hosts.
> Could someone put more light on it ?
> Thanks a lot
