[ale] IPTables and Stateful-Inspection
Chris Ricker
kaboom at gatech.edu
Tue Apr 29 09:39:53 EDT 2003
On Tue, 29 Apr 2003, Raju wrote:
> Hey folks,
> A couple of question on IPTables and your comments
>
> 1. Most Firewalls (at least the ones that do Stateful-Inspection) offers
> TCP sequence number randomization. This helps preventing attacks against
> sequence number guessing. Does IPTables offer this feature?
That's a feature of the network stack, not of the packet filter riding on /
in the stack. Modern Linux kernels (meaning 2.2 and later) implement RFC
1948 for TCP ISN (ie, strong randomization).
> 2. If IPtables supports Stateful-Inspection, where would you view the
> state information?
It is stateful, but there aren't any commands AFAIK to really dump the
state table. My guess is that you get to write your own ;-)
> I have worked with commerical firewalls for several years namely Cisco's
> PIX and Checkpoint, and personally would like to see more Linux-based
> Firewalls in the market:-).
At least some of Checkpoint's stuff is available for Linux, and they also
make turnkey firewall hardware which is running their software on top of Red
Hat Linux.
later,
chris
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list