Hi Antony, hi Jim, On Mon, Jul 26, 2004 at 02:17:33PM +0100, Antony Stone told us: > On Monday 26 July 2004 1:51 pm, Small, Jim wrote: > > > 1) How extensive is IPTables stateful packet filtering? Are the sequence > > numbers carefully scrutinized as part of the state check? > > No. AFAIK the connection tracking in netfilter checks only src+dst IP+port, > nothing else. > > > Is there a listing of everything the connection tracking modules do? > > Netfilter source code is probably your best bet here. > > > If connection tracking or stateful inspection does not include TCP sequence > > checking, is there a way to add it? > > I do not know of a patch to provide this. It would be in patch-o-matic if > there is one. look at the TCP window tracking patch in pom-ng. Harald has submitted it to davem for inclusion in the mainline 2.6.9 kernel recently. Don't know if it will be included in 2.4, too. regards, Sven -- Linux zion 2.6.8-rc2 #1 Sun Jul 18 15:00:48 CEST 2004 i686 athlon i386 GNU/Linux 16:02:43 up 7 days, 17:31, 1 user, load average: 1.06, 1.08, 1.02
Attachment:
pgpAlQxRoE4kl.pgp
Description: PGP signature
