[Full-Disclosure] Stateful Packet Inspection
Goetz Von Berlichingen
goetzvonberlichingen at comcast.net
Sun Aug 1 17:19:38 BST 2004
Ron DuFresne wrote:
..
> Google search: IPtables SPI ;;
>
> http://www.google.com/search?q=IPtables+SPI&sourceid=mozilla-search&start=0&start=0
A better search would be
http://www.google.com/search?q=iptables+State+Packet+Inspection&sourceid=mozilla-search&start=0&start=0,
since yours hits on the patch for IPSEC that allows filtering on
Security Parameter Index (SPI).
The original message has some merit with respect to netfilter - the
Linux kernel firewall is capable of looking at headers only. This does
allow some stateful packet inspection - one can discriminate against
incoming connection attempts with --syn, for instance. This isn't
really stateful, however, since the firewall does not retain any
knowledge of the state of a connection. iptables is pretty much useless
agains covert channels such as Loki, Q, or any of the various tunneling
packages.
The problem with stateful inspection is that it so easily leads to
self-denial of service. An attacker need only make enough legitimate
connections to overflow the firewall's capability. At that point, the
firewall either crashes or quits stateful inspection. Perhaps Mr. Gray
should consider how to add true stateful packet inspection to the
iptables software and contribute that patch back to the community?
Goetz
Full-Disclosure is hosted and sponsored by Secunia.