As soon as the connection table is full, it becomes impossible to connect. SYN_FLOOD on open ports is possible because only the two packets are necessary to put the connection in the "ESTABLISHED" state.
Has been corrected: A connexion is concidered established only after the third packet has been seen.
Sequence numbers are not controlled.
Has been corrected:
Rusty's poor-man's sequence track : sequence numbers are checked for the first three pakets.
Jozsef Kadlecsik has written a ptach based on the document "Real Stateful TCP Packet Filtering in IP Filter" written by Guido van Rooij describing the stateful implementation of IP Filter
This patch breaks NAT for FTP and IRC modules for the time.
Netfilter
® © Hervé Schauer Consultants 2000 -
4 bis, rue de la gare -
92300 Levallois-Perret