Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <3CF698EF.2D61A900@tls.msk.ru>
Date: Fri, 31 May 2002 01:26:07 +0400
From: Michael Tokarev <mjt@....msk.ru>
To: owl-users@...ts.openwall.com
Subject: Re: kernel 2.4

Radoslaw Stachowiak wrote:
[]
> I have to use 2.4 due to netfilter.
> 
> after digging in archives it was quite suprising for me that most
> 2.4-upgrade reasons were filesystem issues.
> 
> For me Owl, with its security, is perfect match for firewall/router which
> extremly needs flexible statefull firewalling code (netfilter) instead
> old and feature lacking ipchains.

Iptables/netfilter, while has state machine and many features, has it's
own bad sides, and the most important one is due to it's statefulness.
It need to keep state of *all* connections coming via a host.  This may
be a huge number, and it is a very good target for various DoS attacks.
I played some games with iptables just this week: we too need it's 
functionality.  And I was able to bring network functionality of a box
down in several seconds on 10mbps LAN from another machine.  This is like
a "usual" synflood attack, but worse, since netfilter itself can't use
e.g. syncookies to protect against such attacks, and any protocol (incl.
UDP and ICMP) may be used, not only TCP.  This is not good.  There are
some ways to protect against this bad behaviour, but those ways aren't
very adequate either.  One way I know of is to limit number of packets
that will create new connection entries.  But simple rate limiter does
not work good with different timeouts for a new entry for different
protocols etc, and there are situations when one need to allow big
number of e.g. very short tcp sessions (webserver w/o persistent
connections) when new conntrack entries will be removed shortly after
being created.  Mind you, *all* masquerading etc now requires conntrack
module to be loaded (this is done in nat table), and after this module
is loaded, it will try to track *all* connections, not only masqueraded
ones.  Also funny enouth that ipchains module in 2.4 is NOT compatible
with 2.2 ipchains firewall: I know at least one difference that is very
important for us, it is unability to read packet counters and zero them
in one go, atomically (we have traffic accounting based on this, and it
will not work with 2.4 kernel, and there is no way to make it work and
be *accurate*).

/mjt

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.