State of Stateful Inspection

State of Stateful Inspection

[Jason Dixon]

Hi all-

I'm about to become a migrated iptables user, but I had a couple of
questions about the stateful abilities of netfilter.  First, it appears
that true sequence number analysis is available via this "patch-o-matic"
thingy.  At what point does this feature become part of the default
release?

Also, does netfilter support any sort of sequence modulation to
strengthen the randomness of weak tcp implementations?

Thanks,
Jason

Re: State of Stateful Inspection

[Cedric Blancher]

Le jeu 24/10/2002 à 22:06, Jason Dixon a écrit :
> I'm about to become a migrated iptables user, but I had a couple of
> questions about the stateful abilities of netfilter.  First, it appears
> that true sequence number analysis is available via this "patch-o-matic"
> thingy.  At what point does this feature become part of the default
> release?

Well, you should ask netfilter-devel mailing list ;)
But, as the patch is still in patch-o-matic extra section, I do not
think it will be submitted to kernel soon.

> Also, does netfilter support any sort of sequence modulation to
> strengthen the randomness of weak tcp implementations?

No.
But you can use third party patch walled IP Personality :

	http://ippersonality.sourceforge.net/

This patch aims at fooling OS fingerprinting systems such as nmap by
modifying network stack behaviours, both locally and for routed packets.
In particular, you can act on ISNs, and so randomize them for network
that are behind your firewall.

Beware : this patch can also weaken your architecture if you decide to
"export" OS fingerprints like Dreamcasts or HP printers ;)

-- 
Cédric Blancher  <blancher@cartel-securite.fr>
Consultant en sécurité des systèmes et réseaux  - Cartel Sécurité
Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: State of Stateful Inspection

[Oskar Andreasson]

On 25 Oct 2002, Cedric Blancher wrote:

> Le jeu 24/10/2002 à 22:06, Jason Dixon a écrit :
> > I'm about to become a migrated iptables user, but I had a couple of
> > questions about the stateful abilities of netfilter.  First, it appears
> > that true sequence number analysis is available via this "patch-o-matic"
> > thingy.  At what point does this feature become part of the default
> > release?
> 
> Well, you should ask netfilter-devel mailing list ;)
> But, as the patch is still in patch-o-matic extra section, I do not
> think it will be submitted to kernel soon.
> 

According to the last mails I read on the list on this topic, the 
tcp-window-tracking.patch is waiting for someone to take a look at 
problems with very slow mail deliveries that arose because of the patch. 
After that, Josefsson(i think?) sent out a new version of the patch that 
should hopefully fix the problem.... that's the last I heard. 

If the new patch fixes the problem and everything seems to work it should 
go into mainstream kernel rather soon actually.


----
Oskar Andreasson
http://www.frozentux.net
http://iptables-tutorial.frozentux.net
http://ipsysctl-tutorial.frozentux.net
mailto:blueflux@koffein.net