I think I just came up with a rather fun idea for a
netfilter plugin.
Basically, it terminates IP connections that it doesn't
know of. This makes pretty sure that people trying to
do IP spoofing (because they're along the path) get their
connections terminated immediately because the victim
machine hasn't done the negotiations itself.
I don't know how quickly a connection can be terminated
or how effective this measure could be, but a FIN/FINACK
combo shouldn't be too hard, now should it?
Rik
-- The Internet is not a network of computers. It is a network of people. That is its real strength.-- work at: http://www.reseau.nl/ home at: http://www.nl.linux.org/~riel/
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/