On Tue, 14 Mar 2000, Lars Marowsky-Bree wrote:
> On 2000-03-13T23:51:43,
> "Dr. Michael Weller" <[EMAIL PROTECTED]> said:
>
> > Certain Firewalls (say a Cisco PIX, to name one) can protect a network
> > before certain attacks (say SYN flooding) by first establishing the TCP
> > protocol with the foreign host and only after successful TCP parameter
> > negotiation initiating the actual TCP connection to the client. [Afaik,
> > the PIX (for example) even allows randomization of Packet Sequence Numbers
> > (in the outbound direction) of the watched TCP connections.]
> >
> > I'm under the impression that I cannot achieve protection against such
> > denial of service attacks with a linux firewall.
>
> Right. Linux can't do that.
>
But ingress filtering?
> This is something which better takes place on the servers themselves, where
> Linux does implement it - see SYN/RST cookies in the networking section of the
> kernel options.
>
> Sincerely,
> Lars Marowsky-Br�e <[EMAIL PROTECTED]>
> Development HA
>
> --
> Perfection is our goal, excellence will be tolerated. -- J. Yahl
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-net" in
> the body of a message to [EMAIL PROTECTED]
>
---
Catalin(ux) BOIE
[EMAIL PROTECTED]
A new Linux distribution: http://l13plus.deuroconsult.ro
http://www2.deuroconsult.ro/~catab
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
