[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter-devel
Subject: Re: scrubbing support in Netfilter
From: Nicolas Bareil <nico () chdir ! org>
Date: 2008-05-28 7:33:31
Message-ID: 87d4n6nar8.fsf () chdir ! org
[Download RAW message or body]
Patrick McHardy <kaber@trash.net> writes:
> No, unless you're refering to the unwanted side-effects from
> defragmentation and refragmentation for IPv4. I also don't
> want to include something like this in netfilter, NAT is
> already bad enough and the threats it *might* protect against
> seem a bit vague. Better throw your broken IDS out if can
> be fooled by changing TTLs.
Indeed, you're totally right : in an ideal world, it should be useless
and avoided, but there are cases where you need "a workaround" because
you have some legacy equipement, broken IDS, broken TCP/IP stack, etc.
> I don't want to sound too discouraging though, I have no problem
> adding it to the pom-ng sources.list.
No problem, if you feel it better fits there, I'm ok with that.
> I assume its a random offset per connection, but still, no.
> You can also still distinguish different hosts by their clock
> rates.
What do you mean precisely ? Variation of the TCP Timestamp ? TCP
retransmission mechanisms ?
Thanks
--
Nicolas Bareil http://chdir.org/~nico/
OpenPGP=0xAE4F7057 Fingerprint=34DB22091049FB2F33E6B71580F314DAAE4F7057
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic