On Friday 03 May 2002 12:52 pm, Williamson, Fionn wrote: > Hello Everybody!, > > I'm having a torrid time with our security guys at the moment.
You have our sympathies :-) > 1) How does netfilter maintain it's state table? I understand that one can > view it in the /proc/ip_conntrack file, but does this give me a full > picture of the state table? As stated in the last response, the source code is your best bet for this one. Not sure if that's good news or not, for you. > 2) Does the state stable keep things like IP sequence numbers so that > session hijacking can be avoided, and an interface label (e.g eth0) that > the state is for? No, (as far as I know) the state table does not track sequence numbers (however, how would this prevent session hijacking even if it did ?), and again (as far as I know) the state table does not know about physical interfaces - it knows about source & destination addresses & ports, and whether outbound and/or response packets have been seen so far. > 3) How would one go about confirming that netfilter does FULL stateful > checking? Define full stateful inspection, please ? (No, seriously - I'm always interested to know what different people mean by this phrase). > 4) Is there any way to alter the default session timeout periods without > having to recompile the kernel? No. Do your "security guys" have some other preferred firewall system for which they already have the answers to these questions, or are they just saying "no-one ever got fired for buying Checkpoint FW-1" ? Antony.
