LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Iptables read at application level? (https://www.linuxquestions.org/questions/linux-networking-3/iptables-read-at-application-level-871369/)

dman777 03-27-2011 10:55 PM
Iptables read at application level?
 
Im reading this tutorial that is old(kernel 2.4) for iptables. It states that iptables should not be read at the application level of the TCP model because of packet boundaries. Does this still hold true today?

salasi 03-28-2011 04:26 AM
Quote:
Originally Posted by dman777 (Post 4305737)
Im reading this tutorial that is old(kernel 2.4) for iptables. It states that...
It is difficult to comment in detail if you don't say a bit more about the tutorial (a link?), or the context in which the statement is made....however...

Why not read a more up-to-date tutorial?
http://iptables-tutorial.frozentux.net/
Or is there some reason that kernel 2.4 is what you need for your application?

Quote:
Originally Posted by dman777 (Post 4305737)
It states that iptables should not be read at the application level of the TCP model because of packet boundaries...
I think what this is about (and, without context, I'm having to guess a bit) is that TCP packets can arrive fragmented, and if security depends on detecting, say, a particular string, either accidentally or with malice aforethought, packets can be fragmented such that the target string only arrives in parts and cannot therefore be detected unless the packets are re-assembled before the string detection occurs.

You can imagine a piece of malware called 'badstuff.exe', and you might be very worried about that. You could then come up with a scheme that depended on detecting the string 'badstuff.exe', but that could arrive at the firewall as a packet containing 'bads' and another with 'tuff.exe', and they would both seem to be innocent packets.

Quote:
Originally Posted by dman777 (Post 4305737)
Does this still hold true today?
Don't know about ipv6, but that's the only thing that I could see changing the situation, in principle, although, theoretically, you may be able to do stuff in network arch in order to get around the problem, and it depends on context whether that could be a solution to your problem. If, for example, your problem is home web browsing, you probably don't want to buy a Cisco IOS box (in the interests of fairness and balance, I have to say that other, high quality, but overpriced, networking hardware is available) in order to cure the problem. And I'm not even completely sure that it is would be a complete cure.

Or you could do your stuff at some point in the networking model (see the iso model, which I'd bet has a wikipedia page) at which packets are re-assembled...


All times are GMT -5. The time now is 04:05 PM.