--- civileme <[EMAIL PROTECTED]> wrote:
> On Tuesday 07 August 2001 22:20, jen wrote:
> > L's and G's,
> >
> > This is my first time setting up
> InteractiveBastille and I must admit, It
> > is a little nerve-racking to not know exactly what
> your doing. While I do
> > undertand the premises of services, ports and
> basic TCP/IP-acks-denies and
> > so-forth, I do not understand why most of these
> questions advise me that if
> > I use Iptables, I should not worry about most of
> these settings.
> >
> > I did choose the "I want to spend an hour learning
> my system option" But
> > half of the questions tell me I don't need to
> worry if I'm using iptables.
> > Would someone be kind enough to tell me <smiles>
> or tell me where I might
> > go to better understand the differences in the
> kernels. I never have dealt
> > with anything other than 2.4.X (mandrake 8.0)
> >
> > as always, thanks in advance.
> >
> > j
> 
> 
> OK the difference in ipchains and iptables besides
> some obvious syntax in the rules
> is that iptables is _stateful_ while ipchains is
> not.  And it looks like we got there with
> it just in time for people to start using it.
> 
> What does stateful mean?  It means that sending a
> packet changes the state of the
> engine handling packets.  
> 
> There are many ways to crack a TCP connection or to
> put intruder packets into a 
> system.  Most of them require the attacking system
> to have raw socket capability.
> 
> With raw sockets, a machine can claim its packets
> are from any IP address and
> are of any protocol.  It can also malform the
> packets sent for various purposes,
> as is done with the famed "tear drop", "bonk", "ping
> of death": and "nestea" 
> attacks to knock a computer off the internet..
> 
> Until recently, the easily compromised systems did
> not have raw socket capability,
> but now, this October, there will be WinXP with full
> raw socket capability and the
> famous nonexistent Microsoft security.  Script
> kiddies will be recruiting new 
> soldiers by compromising these systems, and their
> attacks will be extraordinarily
> potent.
> 
> The windows machines recruited in the past could
> basically send pings and huge
> UDP packets to attack other machines, but now they
> can come in saying, "Hi, I'm
> the packet from your best friend's machine, right in
> the middle of a trusted 
> dialogue."  Or, "here is the nameservice information
> you requested, (return address
> is in fact that of your nameserver)".
> 
> With ipchains, you have NO defense against such
> rogue packets--they come through
> and try to do whatever it is they came to accomplish
> (not very much on a linux
> system, but if you are using your linux to protect a
> network of windows machines...)
> 
> With iptables, the answer is, "I beg your pardon,
> there was no dialogue?"  or "Sorry,
> I have all answers I was looking for from
> nameservices"  In either case the rogue 
> packet is dropped on the floor.
> 
> With kernel 2.4.3 there is an iptables hole
> regarding ftp packets at the moment.  We
> are testing a kernel udate which should plug this
> hole.
> 
> Civileme

*********

Thank You...this is good information and will help me
know where to look for more info.

Aren't you supposed to be on Vacation?

va·ca·tion (v-kshn, v-)
n. 
A period of time devoted to pleasure, rest, or
relaxation, especially one with pay granted to an
employee. 

A holiday. 
A fixed period of holidays, especially one during
which a school, court, or business suspends
activities. 
Archaic. The act or an instance of vacating. 

Thanks again!
 




=====
Jennifer
Registered Linux User #221463 
Yahoo IM: jlynn2k
#include <knowledge.h>
void ignorance (it offers no value)
*/A freely given answer can offer enlightment to those who ask valid questions

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

Reply via email to