Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 22 Apr 2011 16:16:26 +0300
From: Georgi Geshev <root@...k-labs.exploits-bg.com>
To: owl-dev@...ts.openwall.com
Subject: Re: new soft: conntrack, ucarp

Hello,

In my humble opinion, this is an appropriate (enough) suggestion, especially
concerning the conntrack-tools.

Let me know if I should / may prepare the RPM package builds or it is
actually preferable that some code review is done first.

Regards,
Georgi

On Fri, Apr 22, 2011 at 3:26 PM, Vasiliy Kulikov <segoon@...nwall.com>wrote:

> Hi,
>
> I'd suggest to include into Owl 3 packages:
>
>
> 1) conntrack (http://conntrack-tools.netfilter.org/).
>
> "Program to modify the conntrack tables
>
>  conntrack is a userspace command line program targeted at system
>  administrators. It enables them to view and manage the in-kernel
>  connection tracking state table."
>
> It is a very usefull tool to debug and profile statefull firewall rules.
>
>
> 24 kb installed in Ubuntu.
>
>
> 2) conntrackd (the same tarball).
>
> "Connection tracking daemon
>
>  Conntrackd can replicate the status of the connections that are
>  currently being processed by your stateful firewall based on Linux.
>  Conntrackd can also run as statistics daemon."
>
> It can be used for HA firewall setups.  110 kb in Ubuntu.
>
> Both conntrack* require new library, libnfnetlink (14 kb installed in
> Ubuntu).
>
>
> 3) ucarp (http://www.ucarp.org/project/ucarp).
>
> "user-space replacement to VRRP -- automatic IP fail-over
>
>  UCARP allows a pair of hosts to share common virtual IP addresses in
>  order to provide automatic fail-over. It is a portable user-land
>  implementation of the secure and patent-free Common Address Redundancy
>  Protocol (CARP, OpenBSD's alternative to the VRRP).
>  .
>  Strong points of the CARP protocol are: very low overhead,
>  cryptographically signed messages, interoperability between different
>  operating systems and no need for any dedicated extra network link
>  between redundant hosts."
>
> 37 kb installed, needs only libpcap.  Originates in OpenBSD camp ;-)
>
>
> If it is not appropriate to include them into the Owl, it would be handy
> to have them in some secondary repository.
>
>
> Thanks,
>
> --
> Vasiliy Kulikov
> http://www.openwall.com - bringing security into open computing
> environments
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQIcBAEBAgAGBQJNsXP+AAoJEBoUx9gkVaZceP4QAM8S92hoRAmuvClHBcKJYs9a
> oRWdVZwQOBKkizCxNvVb5xBYUp15cpDg/cyEKVHCKadvRbrZOH7jYy8w3RivAol9
> oCjnZvU+HDxwQ+lg0CQYs7/mnh9RoSPDlxlHuz5psiKTJab9MzqZBGw6d6F9jvxZ
> fgKSpxjyx+QUaX3UbRpz0xki73E+6vU7gTTJFjdophYU8A410lO6Nz+Qnh5DEOgq
> TkodHzL+E2FmYtcKgMpmX+54VJ9kXZ3Vv1G+3yXONR01Bsk5K5mYqe7uX7O8pVQB
> 81Z4sfj2WRmHN7sS0TwnP+yVyazFApeP38aH3eySkx4ZTbYW1IcrBcAqmp6zJ+/X
> osOqqyVRatgEjzjEN2B7Kwd2LS+d1XNOHeI3s6VfLV2uIZFtxSP7mNnLpExVsfc7
> +EDoiGfDRfbR8fViiFWSkh36fOVJmwfG9fzY9E3yjf9SLCcoglmQcno8fVAoc5Jz
> 7VVPSvLzcy2Ts44LqGzHy/6qoXTew5zy+Fp1ZshZLtfRvNENRTO/sHbJq0So9v5L
> lNNF2Sl9ufszKc8nwfiOaNo0QRfcQ2FWy1GAM74hDaTcZ/JdABK2EF8OaDSgcYf4
> tPbN9W+wgp4g1iYvY3etnAZJ+4eK3Hd71eQOpgLSezhHf8ornpacKzX46Ve4qpw4
> cFy1plDzMnbkoTckJzkP
> =TdzT
> -----END PGP SIGNATURE-----
>
>

[ CONTENT OF TYPE text/html SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ