hardware firewall - Slackware

This is a discussion on hardware firewall - Slackware ; I'm setting up a hardware firewall on a desktop. One of the setup parameters was "TCP Sequence Number Difference": "The maximum sequence number difference allowed between subsequent TCP packets. If this number is exceeded, the packet is dropped. Acceptable range ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: hardware firewall

  1. hardware firewall

    I'm setting up a hardware firewall on a desktop. One of the setup
    parameters was "TCP Sequence Number Difference":

    "The maximum sequence number difference allowed between subsequent TCP
    packets. If this number is exceeded, the packet is dropped. Acceptable
    range is 0-65535. A value of 0 disables this check. "


    What would be a practical & useful setting for this stateful
    inspection?



  2. Re: hardware firewall

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On 2008-08-06, grasshopper wrote:
    > I'm setting up a hardware firewall on a desktop. One of the setup
    > parameters was "TCP Sequence Number Difference":
    >
    > "The maximum sequence number difference allowed between subsequent TCP
    > packets. If this number is exceeded, the packet is dropped. Acceptable
    > range is 0-65535. A value of 0 disables this check. "
    >
    > What would be a practical & useful setting for this stateful
    > inspection?


    Disable it; I don't see how this could be useful at all. The sequence
    numbers should be roughly sequential (owing to dropped packets, there
    will be some difference) so a low number is not only useless, but
    completely retarded as well. A high number won't make any difference
    at all. The only situation this _might_ help is where an attacker has
    begun spoofing the IP address of another computer that has already
    performed a TCP handshake with your box and begins to inject packets at
    random. Of course, if said attacker is able to snoop your traffic and
    learn who is talking to who, he'd also learn the sequence numbers and
    could trivially set them to similar values, bypassing any "protection"
    this offered in the first place.

    - --
    It is better to hear the rebuke of the wise,
    Than for a man to hear the song of fools.
    Ecclesiastes 7:5
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iEYEARECAAYFAkiZwzUACgkQrZS6hX/gvjpPngCgrpw+MN7j0sZ2lOnHP4CLbmr4
    rusAnjCRJG6BsI4KsQ7vgw5qeUpNdcLb
    =NuXS
    -----END PGP SIGNATURE-----

  3. Re: hardware firewall

    On Wed, 06 Aug 2008 15:28:53 +0000, +Alan Hicks+ wrote:

    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > On 2008-08-06, grasshopper wrote:
    >> I'm setting up a hardware firewall on a desktop. One of the setup
    >> parameters was "TCP Sequence Number Difference":
    >>
    >> "The maximum sequence number difference allowed between subsequent TCP
    >> packets. If this number is exceeded, the packet is dropped. Acceptable
    >> range is 0-65535. A value of 0 disables this check. "
    >>
    >> What would be a practical & useful setting for this stateful
    >> inspection?

    >
    > Disable it;


    Agreed. (At least if it's for a Wild-outside-->Inside filtering.(*))

    > I don't see how this could be useful at all.


    And there'll be many cases where it only added up nuisances for the
    white hats and hardly ever bothered the black hats.

    > The sequence
    > numbers should be roughly sequential (owing to dropped packets, there
    > will be some difference) so a low number is not only useless, but
    > completely retarded as well. A high number won't make any difference at
    > all. The only situation this _might_ help is where an attacker has
    > begun spoofing the IP address of another computer that has already
    > performed a TCP handshake with your box and begins to inject packets at
    > random. Of course, if said attacker is able to snoop your traffic and
    > learn who is talking to who, he'd also learn the sequence numbers and
    > could trivially set them to similar values, bypassing any "protection"
    > this offered in the first place.


    Could be,
    (*) actually the very case where such a setting could be used
    would be for SomewhereInside-->OtherwherInside(or a different sec-level of a DMZ).
    That could help to block possibly trying to spread or to bore from the inside
    malware or attackers.

    As I suppose Grasshopper is not tring to run a big Wan+MultiLan company
    but just to filter aliens coming from outter space the best choice is to
    set it to 0.

+ Reply to Thread