From: "Oskar Andreasson" <blueflux@koffein.net>
To: "Jozsef Kadlecsik" <kadlec@blackhole.kfki.hu>
Cc: <netfilter-devel@lists.samba.org>
Subject: Re: Security flaw in Stateful filtering ??????
Date: Mon, 10 Jun 2002 10:04:56 +0200 [thread overview]
Message-ID: <015d01c21055$82f7aed0$6501a8c0@multisofteducation.com> (raw)
In-Reply-To: Pine.LNX.4.33.0206071425210.4373-100000@blackhole.kfki.hu
Hi Jozsef,
Sorry for the late reply. I never suggested that this usage (see below) is only theoretical and I'm very sorry if it was misinterpreted as that.
My proposal was to create a way of doing more secure, and stateful, redundancy mechanism. For example, 2 or more firewalls which shares their conntrack tables via some userspace daemons. This would require the daemon to have read/write access to the conntrack tables via netlink however, and I am not fully aware of the possibilities of this.
Once again, I am extremely sorry if you misinterpreted the whole mail as a suggestion that this is only theoretical. I know that you among others have told me and others that you've already implemented this in practice.
Oskar Andreasson
http://www.boingworld.com
http://people.unix-fu.org/andreasson/
mailto: blueflux@koffein.net
----- Original Message -----
From: "Jozsef Kadlecsik" <kadlec@blackhole.kfki.hu>
To: "Oskar Andreasson" <blueflux@koffein.net>
Cc: <netfilter-devel@lists.samba.org>
Sent: Friday, June 07, 2002 2:27 PM
Subject: Re: Security flaw in Stateful filtering ??????
> On Fri, 7 Jun 2002, Oskar Andreasson wrote:
>
> > Another, related, usage is
> > if we have a redundant firewall (I haven't seen this discussed so far
> > so.... Consider this:
> >
> > 1 main firewall
> > 1 router
> > and a secondary firewall.
> >
> > The three are set up in a routing zone. If the main firewall goes
> > down, the router will notice, and route packets through the redundant
> > firewall. If the NEW target was to allow only SYN packets, this would
> > be impossible as you can understand from this.
>
> We have been using such a redundant setup for more than a year.
> It's *not* theoretical.
>
> Regards,
> Jozsef
> -
> E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
> WWW-Home: http://www.kfki.hu/~kadlec
> Address : KFKI Research Institute for Particle and Nuclear Physics
> H-1525 Budapest 114, POB. 49, Hungary
>
>
next prev parent reply other threads:[~2002-06-10 8:04 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20020606220914.A14542@groar.org>
2002-06-06 23:31 ` Security flaw in Stateful filtering ?????? Rusty Russell
2002-06-06 23:52 ` Joerg Mayer
2002-06-07 2:10 ` Rusty Russell
2002-06-07 2:53 ` Joerg Mayer
2002-06-07 12:45 ` Marcus Sundberg
2002-06-07 14:36 ` Henrik Nordstrom
2002-06-07 21:48 ` Ben Reser
2002-06-07 8:15 ` Emmanuel Fleury
2002-06-07 8:50 ` Oskar Andreasson
2002-06-07 12:27 ` Jozsef Kadlecsik
2002-06-10 8:04 ` Oskar Andreasson [this message]
2002-06-10 8:26 ` Emmanuel Fleury
2002-06-12 9:23 ` Jozsef Kadlecsik
2002-06-07 9:05 ` Henrik Nordstrom
2002-06-07 9:31 ` Emmanuel Fleury
2002-06-07 9:41 ` Oskar Andreasson
2002-06-07 9:43 ` Guillaume Morin
2002-06-07 9:57 ` Emmanuel Fleury
2002-06-07 10:17 ` Guillaume Morin
2002-06-07 11:30 ` Emmanuel Fleury
2002-06-07 13:33 ` Guillaume Morin
2002-06-07 15:13 ` Emmanuel Fleury
2002-06-07 18:36 ` Guillaume Morin
2002-06-07 19:00 ` Patrick Schaaf
2002-06-08 2:06 ` Emmanuel Fleury
2002-06-08 8:21 ` Patrick Schaaf
2002-06-08 12:02 ` Henrik Nordstrom
2002-06-09 7:03 ` Emmanuel Fleury
2002-06-09 8:29 ` Patrick Schaaf
2002-06-08 1:42 ` Emmanuel Fleury
2002-06-07 10:17 ` Henrik Nordstrom
2002-06-07 10:11 ` Henrik Nordstrom
2002-06-07 22:02 ` Ben Reser
2002-06-08 2:13 ` Emmanuel Fleury
2002-06-08 8:23 ` Patrick Schaaf
2002-06-08 16:41 ` Ben Reser
2002-06-08 9:07 ` ACK is NEW: Conclusion ? (was:Re: Security flaw in Stateful filtering ??????) Emmanuel Fleury
2002-06-07 9:42 Security flaw in Stateful filtering ?????? Mikkel Christiansen
2002-06-08 7:44 ` Harald Welte
-- strict thread matches above, loose matches on Subject: below --
2002-06-06 22:15 Andy Whitcroft
2002-06-06 19:29 Sneppe Filip
2002-06-06 17:21 Emmanuel Fleury
2002-06-06 17:48 ` Martin Josefsson
2002-06-06 17:54 ` Maciej Soltysiak
2002-06-06 18:52 ` Emmanuel Fleury
2002-06-06 19:11 ` Maciej Soltysiak
2002-06-06 19:30 ` Guillaume Morin
2002-06-06 19:53 ` Patrick Schaaf
2002-06-06 19:43 ` Henrik Nordstrom
2002-06-06 17:57 ` Patrick Schaaf
2002-06-06 18:34 ` Emmanuel Fleury
2002-06-06 19:12 ` Patrick Schaaf
2002-06-06 19:28 ` Emmanuel Fleury
2002-06-06 19:27 ` Henrik Nordstrom
2002-06-06 20:50 ` Emmanuel Fleury
2002-06-06 21:26 ` Henrik Nordstrom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='015d01c21055$82f7aed0$6501a8c0@multisofteducation.com' \
--to=blueflux@koffein.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.