Re: scrubbing support in Netfilter

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Nicolas Bareil <nico@chdir.org>
To: netfilter-devel@vger.kernel.org
Subject: Re: scrubbing support in Netfilter
Date: Wed, 28 May 2008 09:33:31 +0200	[thread overview]
Message-ID: <87d4n6nar8.fsf@chdir.org> (raw)
In-Reply-To: 483CE1D7.30408@trash.net

Patrick McHardy <kaber@trash.net> writes:
> No, unless you're refering to the unwanted side-effects from
> defragmentation and refragmentation for IPv4. I also don't
> want to include something like this in netfilter, NAT is
> already bad enough and the threats it *might* protect against
> seem a bit vague. Better throw your broken IDS out if can
> be fooled by changing TTLs.

Indeed, you're totally right : in an ideal world, it should be useless
and avoided, but there are cases where you need "a workaround" because
you have some legacy equipement, broken IDS, broken TCP/IP stack, etc.

> I don't want to sound too discouraging though, I have no problem
> adding it to the pom-ng sources.list.

No problem, if you feel it better fits there, I'm ok with that.

> I assume its a random offset per connection, but still, no.
> You can also still distinguish different hosts by their clock
> rates.

What do you mean precisely ? Variation of the TCP Timestamp ?  TCP
retransmission mechanisms ?

Thanks

-- 
Nicolas Bareil                                  http://chdir.org/~nico/
OpenPGP=0xAE4F7057 Fingerprint=34DB22091049FB2F33E6B71580F314DAAE4F7057

next prev parent reply	other threads:[~2008-05-28  7:40 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-05-27 15:12 scrubbing support in Netfilter Nicolas Bareil
2008-05-27 16:33 ` Jan Engelhardt
2008-05-28  4:38   ` Patrick McHardy
2008-05-28  7:33     ` Nicolas Bareil [this message]
2008-05-28  7:20   ` Nicolas Bareil
2008-05-28  7:27     ` Jan Engelhardt
  -- strict thread matches above, loose matches on Subject: below --
2008-05-27 15:11 Nicolas Bareil

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87d4n6nar8.fsf@chdir.org \
    --to=nico@chdir.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.