On Fri, 18 May 2007, Mike C wrote:
On 5/17/07, Mike C <smith.not.western@xxxxxxxxx> wrote:
I am using an iptables 1.3.5 based setup and wonder if there are any
tools or techniques available to prevent or mitigate the TCP RST
spoofing issue (http://osvdb.org/displayvuln.php?osvdb_id=4030)
I just realised that I posted the wrong issue. The one I am referring
to is where a third party sends a RST with a sequence number less than
the current window, which is still treated as a valid RST by the end
point.
[...]
I should outline my situation a bit more. I have a firewall that I
want to prevent passing illegal RST packets to an inside host. In my
case the host is patched against this issue, but this may not always
be the case, so need to stop the invalid resets from traversing the
firewall in the first place.
Any recent kernel from the 2.6 series come with TCP window tracking in
netfilter, which makes sure that the RST segment is in the window.
Nothing is needed besides enabling connection tracking.
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
