[395] in linux-net channel archive
Re: firewalls
daemon@ATHENA.MIT.EDU (Jos Vos)
Wed May 31 16:44:24 1995
From: Jos Vos <jos@xos.nl>
To: John Paul Morrison <jmorriso@ConcordPacific.com>
Cc: linux-net@vger.rutgers.edu
In-reply-to: Your message of "Tue, 30 May 1995 09:53:29 PDT."
<199505301653.JAA01323@Master.ConcordPacific.Com>
Date: Wed, 31 May 1995 21:05:40 +0200
> > /sbin/ipfwadm -B -a reject -P tcp -y -S 0.0.0.0/0 -D a.b.c.d
> >
> > Note that this command only rejects the first IP packet of a
> > TCP connection, but this is sufficient for disabling TCP sessions.
>
> is there any window left open for spoofing? ie if a connection is
> already open, can forged packets get sent in? A small window I
> suppose, since Linux improved the way it does TCP sequences.
> The -y flag would seem to be less secure, but then it's more flexible.
Yes, if you can hook into an ongoing connection while spoofing...
That *might* be possible, but I'm not sure how theoretical this is.
> I've looked over the code briefly, and I'm interested in adding support for
> firewalling other IP protocols, not just TCP, UDP and ICMP. For example, IP
> tunneling (Encapsulation) using pid 4, or Amateur radio AX.25 over IP (pid 94
).
> Maybe other people will want to encapsulate IPX into a firewalled machine, an
d
> the firewall should be able to accept packets from only a few hosts.
>
> Is there too big a performance hit for adding general support? ie
The firewall code currently uses a few bits to select the protocol.
Changing this to one or two bytes should be a problem. Special cases,
such as handling port numbers of TCP/UDP, should however be included
explicitly.
The firewall code in 1.3 might become completely different, so don't
invest too much work in upgrading the current code. I think your ideas
about adding generic protocol support should be taken into account when
recoding (pars of) the firewall code.
--
-- Jos Vos <jos@xos.nl>
-- X/OS Experts in Open Systems BV | Phone: +31 20 6938364
-- Amsterdam, The Netherlands | Fax: +31 20 6948204
