[Full-Disclosure] Stateful Packet Inspection
whiplash
whiplash at despammed.com
Tue Aug 3 21:46:17 BST 2004
Goetz Von Berlichingen wrote:
> The original message has some merit with respect to netfilter - the
> Linux kernel firewall is capable of looking at headers only.
Really funny.
Try and explain, then, how Linux netfilter correctly recognizes, nats and keeps state
of protocols like ftp, irc/dcc, h323, pptp and so on.
> This does
> allow some stateful packet inspection - one can discriminate against
> incoming connection attempts with --syn, for instance.
Do you have any idea of what stateful means?
> This isn't
> really stateful, however, since the firewall does not retain any
> knowledge of the state of a connection.
Yeah, of course.
I suppose that
#lsmod | grep track
ip_conntrack_ftp 5216 1 [ip_nat_ftp]
ip_conntrack_irc 4256 1 [ip_nat_irc]
ip_conntrack 41332 4 (autoclean) [ip_nat_ftp ip_conntrack_ftp ip_nat_irc ip_conntrack_irc ipt_MASQUERADE iptable_nat ipt_state]
is just the output of some allucination of mine. <g>
> iptables is pretty much useless agains covert channels such as Loki, Q, or any of the various tunneling
> packages.
A good advice for you, absolutely for free: shutdown -h now (do you know what it means, at least? <g>)
Full-Disclosure is hosted and sponsored by Secunia.