Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote: > I fully agree with Florian: conntrack plays the role of a middle box and > cannot absolutely know the right seq/ack numbers of the client/server > sides. Add NAT on top of that and there are a couple of ways to attack a > given traffic. I don't see a way by which the checkings/parameters could > be tightened without blocking real traffic. I forgot about TCP timestamps, which we do not track at the moment. But then there is a slight caveat: if one side exits, RST won't carry timestamp option, so even keeping track of timestamps will help :-(
