Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 31 May 2002 01:26:07 +0400
From: Michael Tokarev <mjt@....msk.ru>
To: owl-users@...ts.openwall.com
Subject: Re: kernel 2.4

Radoslaw Stachowiak wrote:
[]
> I have to use 2.4 due to netfilter.
> 
> after digging in archives it was quite suprising for me that most
> 2.4-upgrade reasons were filesystem issues.
> 
> For me Owl, with its security, is perfect match for firewall/router which
> extremly needs flexible statefull firewalling code (netfilter) instead
> old and feature lacking ipchains.

Iptables/netfilter, while has state machine and many features, has it's
own bad sides, and the most important one is due to it's statefulness.
It need to keep state of *all* connections coming via a host.  This may
be a huge number, and it is a very good target for various DoS attacks.
I played some games with iptables just this week: we too need it's 
functionality.  And I was able to bring network functionality of a box
down in several seconds on 10mbps LAN from another machine.  This is like
a "usual" synflood attack, but worse, since netfilter itself can't use
e.g. syncookies to protect against such attacks, and any protocol (incl.
UDP and ICMP) may be used, not only TCP.  This is not good.  There are
some ways to protect against this bad behaviour, but those ways aren't
very adequate either.  One way I know of is to limit number of packets
that will create new connection entries.  But simple rate limiter does
not work good with different timeouts for a new entry for different
protocols etc, and there are situations when one need to allow big
number of e.g. very short tcp sessions (webserver w/o persistent
connections) when new conntrack entries will be removed shortly after
being created.  Mind you, *all* masquerading etc now requires conntrack
module to be loaded (this is done in nat table), and after this module
is loaded, it will try to track *all* connections, not only masqueraded
ones.  Also funny enouth that ipchains module in 2.4 is NOT compatible
with 2.2 ipchains firewall: I know at least one difference that is very
important for us, it is unability to read packet counters and zero them
in one go, atomically (we have traffic accounting based on this, and it
will not work with 2.4 kernel, and there is no way to make it work and
be *accurate*).

/mjt

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.