>From what I can tell, using IPSec mitigates this vulnerability, but if you can grok this article better than I you may be able to tighten your security even further: http://www.cert.org/advisories/CA-2001-09.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Paul Blondé Web Programmer enTel Communications Inc jpb@xxxxxxxx 250.633.5151 866.633.2644 > -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Mike C > Sent: Wednesday, May 16, 2007 5:57 PM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: TCP RST vulnerability - handling question > > > Hi, > > I am using an iptables 1.3.5 based setup and wonder if there are any > tools or techniques available to prevent or mitigate the TCP RST > spoofing issue (http://osvdb.org/displayvuln.php?osvdb_id=4030) > > I see elsewhere there has been suggestions of only accepting the RST > if the sequence id is 1 more than the current, or providing some sort > of challenge response > (http://tools.ietf.org/html/draft-ietf-tcpm-tcpsecure-02#section-2.2). > I don't believe netfilter uses either of these, so I am interested in > hearing other peoples approaches to it. > > Regards, > > Mike >
