On Fri, May 03, 2002 at 01:52:02PM +0200, Williamson, Fionn wrote: > Hello Everybody!,
Hi, > 1) How does netfilter maintain it's state table? I understand that one can > view it in the /proc/ip_conntrack file, but does this give me a full picture > of the state table? You can look at http://www.cs.princeton.edu/~jns/security/iptables/iptables_conntrack.html and of course at "Rusty's Remarkably Unreliable Guides" at http://netfilter.samba.org/unreliable-guides/. > 2) Does the state stable keep things like IP sequence numbers so that > session hijacking can be avoided, and an interface label (e.g eth0) that the > state is for? Can you explain me how such a statefull filter can avoid hijacking by verifying IP sequence numbers ? . If the sequence number is wrong then the packet is refused by the filter and doesn't touch the server which would have refused it anyway . If the sequence number is right then the packet is accepted by the filter and touch the server which accept it > 3) How would one go about confirming that netfilter does FULL stateful > checking? netfilter isn't statefull by now but should be soon when the tcp-window-tracking.patch patch by Jozsef Kadlecsik from the patch-o-matic will be standard. This patch have been written from Guido van Rooij document 'Real Stateful TCP Packet Filtering in IP Filter' <http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz> Actually only the 3 way hand shake verify IP sequence numbers in netfilter to avoid misc problems generated by syn flooding. In fact, very few filters are statefull (verify IP sequence numbers) because this is expansive and doesn't have a lot of advantages compares to actual netfilter. Best regards, Denis Ducamp. -- .signature en deuil
