Patrick McHardy <kaber@xxxxxxxxx> writes: > No, unless you're refering to the unwanted side-effects from > defragmentation and refragmentation for IPv4. I also don't > want to include something like this in netfilter, NAT is > already bad enough and the threats it *might* protect against > seem a bit vague. Better throw your broken IDS out if can > be fooled by changing TTLs. Indeed, you're totally right : in an ideal world, it should be useless and avoided, but there are cases where you need "a workaround" because you have some legacy equipement, broken IDS, broken TCP/IP stack, etc. > I don't want to sound too discouraging though, I have no problem > adding it to the pom-ng sources.list. No problem, if you feel it better fits there, I'm ok with that. > I assume its a random offset per connection, but still, no. > You can also still distinguish different hosts by their clock > rates. What do you mean precisely ? Variation of the TCP Timestamp ? TCP retransmission mechanisms ? Thanks -- Nicolas Bareil http://chdir.org/~nico/ OpenPGP=0xAE4F7057 Fingerprint=34DB22091049FB2F33E6B71580F314DAAE4F7057 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
