On Sun, 11 Nov 2012, Nicolas Ma?tre wrote: > I've been trying to understand netfilter's connection tracking for TCP. > > The FSM used is a simplified version of the usual TCP FSM, and > therefore, as I understand it, it does not permit a perfect tracking > of TCP. Perfect tracking is not possible, because the packets we see may get lost in transit to the destination. > A first question is: why not rely on a better version of the FSM? It > would maybe imply that the states of both end-hosts should be stored > but it would also allow a finer-grained tracking of the connection. Someone should simply come up with a better version. > I assume this is because the firewall doesn't need to be so specific > about the tracking, but why not? Wouldn't it be better from a security > viewpoint? > > In the same line of thinking, I can see that, for example, at the > regular connection closing, no check is done on the direction of the > FIN segments. AFAIK, this would mean that a host could make think the > firewall that a connection is closed when it is actually sending 2 > times a FIN segment. A one-liner check would make sure that both FINs > come from different hosts, why omit this? That's documented in a comment of the state table. If there's a real threat from it, then that one-liner should be added to the code. > The real question is: am I missing something important that would make > this kind of things insignificant? Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
