> 1) How extensive is IPTables stateful packet filtering? Especially with > TCP and the recent reset paranoia > (http://www.uniras.gov.uk/vuls/2004/236929/index.htm), what is checked for > stateful TCP inspection? Are the sequence numbers carefully scrutinized as > part of the state check? For an excellent paper on TCP state checking, I > like the following: > http://home.iae.nl/users/guido/papers/tcp_filtering.ps.gz.ps.gz the "tcp-window-tracking patch" available in patch-o-matic is based upon the paper by Guido van Rooij that you reference. -j
