From: Emmanuel Fleury <fleury@cs.auc.dk>
To: netfilter-devel@lists.samba.org
Subject: Re: Security flaw in Stateful filtering ??????
Date: Mon, 10 Jun 2002 10:26:27 +0200 [thread overview]
Message-ID: <3D0462B3.80208@cs.auc.dk> (raw)
In-Reply-To: 015d01c21055$82f7aed0$6501a8c0@multisofteducation.com
Hi Oskar,
Oskar Andreasson wrote:
>
> My proposal was to create a way of doing more secure, and
> stateful, redundancy mechanism. For example, 2 or more firewalls
> which shares their conntrack tables via some userspace daemons.
> This would require the daemon to have read/write access to the
> conntrack tables via netlink however, and I am not fully aware
> of the possibilities of this.
Well I don't know if it will be more secure, but this idea is
interesting for me.
I already was thinking about something similar.
Indeed, if you consider a network which has several access points
to the Internet (let say FW1 and FW2). It is very 'dangerous' to
run stateful on these access point because a packet which is part
of a connection can go either through FW1 either trough FW2 (no static
routing is assumed).
As only one of your firewall had registered the connection (in the best
case), the other one will drop all the packets... (except if you
consider the "ACK is NEW" behaviour).
The 'solution' would be to consider what can be called a 'distributed
stateful firewall' which maintain a centralized connection table for
all your firewalls...
But, it raises a lot of problems like cache consistency over a network,
what to do if the three way handshake is distributed on the your
firewalls, and so on....
The most surprising is that this 'ACK is NEW' thing is solving
this problem also (even if I think that this is a dirty hack ;-)).
--
Emmanuel
You have to understand what the primary objective of an OS is:
To create a virtual environment that is simple and sane to program
against....
Have you learned nothing at all from DOS and Windows?
-- Linus Torvalds
next prev parent reply other threads:[~2002-06-10 8:26 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20020606220914.A14542@groar.org>
2002-06-06 23:31 ` Security flaw in Stateful filtering ?????? Rusty Russell
2002-06-06 23:52 ` Joerg Mayer
2002-06-07 2:10 ` Rusty Russell
2002-06-07 2:53 ` Joerg Mayer
2002-06-07 12:45 ` Marcus Sundberg
2002-06-07 14:36 ` Henrik Nordstrom
2002-06-07 21:48 ` Ben Reser
2002-06-07 8:15 ` Emmanuel Fleury
2002-06-07 8:50 ` Oskar Andreasson
2002-06-07 12:27 ` Jozsef Kadlecsik
2002-06-10 8:04 ` Oskar Andreasson
2002-06-10 8:26 ` Emmanuel Fleury [this message]
2002-06-12 9:23 ` Jozsef Kadlecsik
2002-06-07 9:05 ` Henrik Nordstrom
2002-06-07 9:31 ` Emmanuel Fleury
2002-06-07 9:41 ` Oskar Andreasson
2002-06-07 9:43 ` Guillaume Morin
2002-06-07 9:57 ` Emmanuel Fleury
2002-06-07 10:17 ` Guillaume Morin
2002-06-07 11:30 ` Emmanuel Fleury
2002-06-07 13:33 ` Guillaume Morin
2002-06-07 15:13 ` Emmanuel Fleury
2002-06-07 18:36 ` Guillaume Morin
2002-06-07 19:00 ` Patrick Schaaf
2002-06-08 2:06 ` Emmanuel Fleury
2002-06-08 8:21 ` Patrick Schaaf
2002-06-08 12:02 ` Henrik Nordstrom
2002-06-09 7:03 ` Emmanuel Fleury
2002-06-09 8:29 ` Patrick Schaaf
2002-06-08 1:42 ` Emmanuel Fleury
2002-06-07 10:17 ` Henrik Nordstrom
2002-06-07 10:11 ` Henrik Nordstrom
2002-06-07 22:02 ` Ben Reser
2002-06-08 2:13 ` Emmanuel Fleury
2002-06-08 8:23 ` Patrick Schaaf
2002-06-08 16:41 ` Ben Reser
2002-06-08 9:07 ` ACK is NEW: Conclusion ? (was:Re: Security flaw in Stateful filtering ??????) Emmanuel Fleury
2002-06-07 9:42 Security flaw in Stateful filtering ?????? Mikkel Christiansen
2002-06-08 7:44 ` Harald Welte
-- strict thread matches above, loose matches on Subject: below --
2002-06-06 22:15 Andy Whitcroft
2002-06-06 19:29 Sneppe Filip
2002-06-06 17:21 Emmanuel Fleury
2002-06-06 17:48 ` Martin Josefsson
2002-06-06 17:54 ` Maciej Soltysiak
2002-06-06 18:52 ` Emmanuel Fleury
2002-06-06 19:11 ` Maciej Soltysiak
2002-06-06 19:30 ` Guillaume Morin
2002-06-06 19:53 ` Patrick Schaaf
2002-06-06 19:43 ` Henrik Nordstrom
2002-06-06 17:57 ` Patrick Schaaf
2002-06-06 18:34 ` Emmanuel Fleury
2002-06-06 19:12 ` Patrick Schaaf
2002-06-06 19:28 ` Emmanuel Fleury
2002-06-06 19:27 ` Henrik Nordstrom
2002-06-06 20:50 ` Emmanuel Fleury
2002-06-06 21:26 ` Henrik Nordstrom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3D0462B3.80208@cs.auc.dk \
--to=fleury@cs.auc.dk \
--cc=netfilter-devel@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.