--- civileme <[EMAIL PROTECTED]> wrote: > On Tuesday 07 August 2001 22:20, jen wrote: > > L's and G's, > > > > This is my first time setting up > InteractiveBastille and I must admit, It > > is a little nerve-racking to not know exactly what > your doing. While I do > > undertand the premises of services, ports and > basic TCP/IP-acks-denies and > > so-forth, I do not understand why most of these > questions advise me that if > > I use Iptables, I should not worry about most of > these settings. > > > > I did choose the "I want to spend an hour learning > my system option" But > > half of the questions tell me I don't need to > worry if I'm using iptables. > > Would someone be kind enough to tell me <smiles> > or tell me where I might > > go to better understand the differences in the > kernels. I never have dealt > > with anything other than 2.4.X (mandrake 8.0) > > > > as always, thanks in advance. > > > > j > > > OK the difference in ipchains and iptables besides > some obvious syntax in the rules > is that iptables is _stateful_ while ipchains is > not. And it looks like we got there with > it just in time for people to start using it. > > What does stateful mean? It means that sending a > packet changes the state of the > engine handling packets. > > There are many ways to crack a TCP connection or to > put intruder packets into a > system. Most of them require the attacking system > to have raw socket capability. > > With raw sockets, a machine can claim its packets > are from any IP address and > are of any protocol. It can also malform the > packets sent for various purposes, > as is done with the famed "tear drop", "bonk", "ping > of death": and "nestea" > attacks to knock a computer off the internet.. > > Until recently, the easily compromised systems did > not have raw socket capability, > but now, this October, there will be WinXP with full > raw socket capability and the > famous nonexistent Microsoft security. Script > kiddies will be recruiting new > soldiers by compromising these systems, and their > attacks will be extraordinarily > potent. > > The windows machines recruited in the past could > basically send pings and huge > UDP packets to attack other machines, but now they > can come in saying, "Hi, I'm > the packet from your best friend's machine, right in > the middle of a trusted > dialogue." Or, "here is the nameservice information > you requested, (return address > is in fact that of your nameserver)". > > With ipchains, you have NO defense against such > rogue packets--they come through > and try to do whatever it is they came to accomplish > (not very much on a linux > system, but if you are using your linux to protect a > network of windows machines...) > > With iptables, the answer is, "I beg your pardon, > there was no dialogue?" or "Sorry, > I have all answers I was looking for from > nameservices" In either case the rogue > packet is dropped on the floor. > > With kernel 2.4.3 there is an iptables hole > regarding ftp packets at the moment. We > are testing a kernel udate which should plug this > hole. > > Civileme ********* Thank You...this is good information and will help me know where to look for more info. Aren't you supposed to be on Vacation? va·ca·tion (v-kshn, v-) n. A period of time devoted to pleasure, rest, or relaxation, especially one with pay granted to an employee. A holiday. A fixed period of holidays, especially one during which a school, court, or business suspends activities. Archaic. The act or an instance of vacating. Thanks again! ===== Jennifer Registered Linux User #221463 Yahoo IM: jlynn2k #include <knowledge.h> void ignorance (it offers no value) */A freely given answer can offer enlightment to those who ask valid questions __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/
