On 2000-03-13T23:51:43,
"Dr. Michael Weller" <[EMAIL PROTECTED]> said:
> Certain Firewalls (say a Cisco PIX, to name one) can protect a network
> before certain attacks (say SYN flooding) by first establishing the TCP
> protocol with the foreign host and only after successful TCP parameter
> negotiation initiating the actual TCP connection to the client. [Afaik,
> the PIX (for example) even allows randomization of Packet Sequence Numbers
> (in the outbound direction) of the watched TCP connections.]
>
> I'm under the impression that I cannot achieve protection against such
> denial of service attacks with a linux firewall.
Right. Linux can't do that.
This is something which better takes place on the servers themselves, where
Linux does implement it - see SYN/RST cookies in the networking section of the
kernel options.
Sincerely,
Lars Marowsky-Br�e <[EMAIL PROTECTED]>
Development HA
--
Perfection is our goal, excellence will be tolerated. -- J. Yahl
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
