[ale] IPTables and Stateful-Inspection

[Raju]

> On Tue, 29 Apr 2003, Raju wrote:
>
>> Hey folks,
>>   A couple of question on IPTables and your comments
>>
>> 1. Most Firewalls (at least the ones that do Stateful-Inspection)
>> offers TCP sequence number randomization. This helps preventing
>> attacks against sequence number guessing. Does IPTables offer this
>> feature?
>
> That's a feature of the network stack, not of the packet filter riding
> on / in the stack. Modern Linux kernels (meaning 2.2 and later)
> implement RFC 1948 for TCP ISN (ie, strong randomization).
>

Thanks for pointing that out:-)


>> 2. If IPtables supports Stateful-Inspection, where would you view the
>> state information?
>
> It is stateful, but there aren't any commands AFAIK to really dump the
> state table. My guess is that you get to write your own ;-)
>

Hmmm...maybe an interesting project to take up:-)

>> I have worked with commerical firewalls for several years namely
>> Cisco's PIX and Checkpoint, and personally would like to see more
>> Linux-based Firewalls in the market:-).
>
> At least some of Checkpoint's stuff is available for Linux, and they
> also  make turnkey firewall hardware which is running their software on
> top of Red  Hat Linux.
>

Checkpoint has plans to drop support for Linux (not sure if this is
confirmed, but thats what I here from a few CP guys). The reason being not
much demand compared to CP running on Solaris and the piece of $h!@^ NT
(Arrghh...NT=> Not Today, No Telling, Nice Try, etc).  It irritates me
when managment of any company frowns if they don't see that big fat price
tag on anything:-).  Although most companies use the Nokia IPSO (a
hardened version of FreeBSD) Appliance for most CP installations.


> later,
> chris
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

Regards,

Raju





_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale