* [EMAIL PROTECTED] [2001.03.21 18:13]: > Can anyone tell me either by opinion, or preferably by scientific > fact, how much more secure the stateful netfilter in the 2.4 kernel > is compared to the 2.2 series firewall? Are they about the same, or > are we talking an order of magnitude? > > Note, I'm not talking about ipchains vs iptables; the interface to > the firewall, rather I'm talking about netfilter as the kernel > firewall versus whatever the 2.2 kernel filter was called. > Statefulness vs statelessness. > > When I specify, allow Established and Related connections in, is this > secure? Is it possible for someone to highjack an established > connection? Even with spoofed packets? What is a related > connection? > > Thanks! > Cory >
I'm by no means an expert on this subject, so take this with a grain of salt...actually, consider this bogus until someone with more experience can comment on my comments. All of the following comes from an evening with ethereal and some RFCs. *grim* Your questions got me wondering about this and about exactly how TCP works, so I went to RFC 793. After reading through parts of it, I have a little better understanding of TCP. I would suggest reading as much of it as you can stand. My uneducated guess is that it would be possible to perform a man-in-the-middle hijacking of a stream. From my reading of RFC 793 (and very little of RFC 760), the keys are the IP ID (for decoding packet fragmentation) and the TCP sequence numbers. It seems like someone could follow a connection from the beginning to know what to expect next and hijack it. Then again, there are about 3000 RFCs I haven't read. *grin* I seem to remember IPv6 aiming to fix some of this. As far as spoofed packets go, I don't see how that would be a problem for TCP. You could spoof a connection (SYN packet) from an allowed host, but without an ACK with the appropriate sequence numbers from the *real* host that was spoofed, the connection would never be "established". Hmm...I guess you could go back to the man-in-the-middle stuff to make this work (assuming that's possible). UDP, on the other hand, doesn't have states and doesn't require ACKs, so spoof attacks would probably work. Anyway, I've probably made some blatant errors in my thinking, so please enlighten me...I'm even interested to know if I'm right. *grin* -- Cameron Moore
