[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: sequence number check in pf



Petr,
Here is one excellent example of why it is important to check sequence
numbers:
http://www.uniras.gov.uk/vuls/2004/236929/index.htm
For an excellent paper on TCP state checking, I like the following:
http://home.iae.nl/users/guido/papers/tcp_filtering.ps.gz
You might want to check out Daniel's PF Page (the lead developer of pf):
http://www.benzedrine.cx/pf.html
And of course the pf FAQ is one of the best Firewall FAQs on the 'Net:
http://www.openbsd.org/faq/pf/index.html
<> Jim
> -----Original Message-----
> Hi Gurus,
> I had a disscusion with friend of mine who does use Linux ( and
> therefore iptables ) for his firewall. I wonder, why is so
> important for firewall to check for valid sequence number range
> for whole life of connection ? As I do understand, iptables does
> it only for handshake time and after connection enters ESTABLISHED
> state it checks only for {source,destination} and {IP address,
> port}. Pf on the other hand checks for valid sequence number all
> the time.
> If I send packet with invalid seq. number (with other atributes
> valid) to host behind firewall and firewall don't check it ie.
> let it through, destination host will drop it anyway doesn't it?
> So in case of pf, pf will drop packet before it reach host, in
> case of firewall that doesn't do check on seq. numbers,
> destination host will drop it. Yes, nasty and not valid packets
> will enter my network, taking resources from my server etc., but
> is there anything else that I missed ?
> 
> I red lots of papers about TCP hijacking, IP spoofing and packet
> injection, but I still somehow do not understand, how seq.
> number check on firewall in whole connection's lifetime could help.
> I could imagine only one situation - sending RST with valid
> addresses and ports could change state on the firewall but host
> will drop it, so firewall will close the connection (after some time)
> but it still will look like established on both hosts.
> Could someone put more light on it ?
> Thanks a lot
>