> > I'd actually be tempted to implement syn cookies on the firewall and do a
> > proxy session, even if I did it purely kernel space.
>
> This could be an add-on to NAT/masquerading, since we already track connection
> status there anyway. (Meaning we don't open an additional channel to run our
> firewall out of memory with state data, but only "beef up" an already existing
> one)
That is sort of what I came up with later in further discussion
Receive a syn, the firewall box sends back a syncookie syn|ack
Recieve a suitable ack, do syn/synack/ack sequence with the server from
the firewall
Now just bend the sequence numbering as the packets are natted
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Jun 15 2000 - 21:00:25 EST