From: Paul Jakma (paul at domain clubi.ie)
Date: Wed 26 Jul 2000 - 03:21:28 IST
On Wed, 26 Jul 2000, Thomas Ribbrock wrote:
> ipfilter tracks more than TCP - keeping state means keeping state on all
> TCP/UDP/ICMP connections.
> Quote form the ipfilter HOTWO[0]:
>
cool. havn't really ever looked that hard at ipfilter. however, one
thing - that piece seems to suggest that ipfilter's stateful
inspection is good for security:
"The fact is, they're all taking the packet's word for it from a part
of the packet anybody can lie about. They read the TCP packet's
flags section and there's the reason UDP/ICMP don't work with it,
they have no such thing. Anybody who can create a packet with bogus
flags can get by a firewall with this setup."
i have a problem with that, as i can't really get it through my thick
skull how stateful filtering can protect against packet spoofing. to
my mind, that circle must be squared in userland.
> See above for part of the explanation. Again: It's not only about TCP.
>
i must have misread the docs about ipfilter that have passed my
eyes.
one thing that stateful does seem very useful (after looking at the
docs for iptables) for is doing things like allowing an ICMP error to
be forwarded if it's in response to a connection. (as someone pointed
out in an old thread - it seems good for mgt of IP).
but i still think security is a matter of either/both:
- securing the transport between 2 hosts, eg link layer encryption or
encrypted tunnels.
- application level security.
stateful packet filtering just does not give you extra security over
static inspection. (to my impaired mind).
> What makes you think that? Another quote form the HOWTO:
i think what i was looking at was not the BSD ipfilter. I was looking
at ipfilter for IRIX 6.2. 's been a while though.
> You probably should have a glance at that HOWTO:
> http://www.obfuscation.org/ipf/ipf-howto.txt
> It's very well written and well worth a read. ipfilter sure seems to be
> extremely powerful.
>
i'm sure it is.
> Whether it really is, I'll be able to tell you some time in August, as I'm
> currently moving my Firewall/Dial-Up/Masquerading machine from Linux/ipfwadm
> to OpenBSD/ipfilter. I'll be happy to provide first-hand experiences.
>
love to hear it. however it is my duty as a devout linux fanatic to
point out that Linux 2.4 has iptables with 'conntrack' modules which
will do everything you need to do plus more. (eg you can apply rate
limits to rules to throttle SYN's/ICMP/logging/etc..).
use linux 2.4 man... it rulez!
> Regards,
>
> Thomas
>
regards,
-- Paul Jakma paul at domain clubi.ie PGP5 key: http://www.clubi.ie/jakma/publickey.txt ------------------------------------------- Fortune: Chemistry professors never die, they just fail to react.
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:06:59 GMT