Hello !
"Why bother? Don't you have anything else to worry about?"
Well one of the mail reasons for working with Linux is to learn about it. Being able to prevent buffer overflow in general will be, I think a good idea.
"If you succeed in doing that, you'll cause all sorts of problems. You'll hardly be able to download anything."
On linux 2.4.x/2.6.x you can have a quite good control of which datastreams and witch trafic directions you are filtering. Its also quite easy to have different configuration scripts for different situations. The idea was/is to filter on the lenght of the data packets in trafic direction in from wan to the local prosesses on the server (input chain.)
I don't know what could be the right maximum lenght of a data pack. Of cource this would have to be tried out. If to short, the only thing that will happen is that the datastream to the webserver will stop up. (If combining port 80 and maximum lenght criteria.)
By the way, I tried with "modprobe ipt_length" (believing this was the right kernel module.) Looks like it loads OK, and also "modprobe -l" shows it is there.
When trying to use it this msg apear:
iptables v1.2.5: Couldn't load match length':/lib/iptables/libipt_length.so: cannot open shared object file: No such file or directory
Just curious about what this mean .. The module is there, but then it's not there (Just try to understand, it might be the incorrect module.)
By the way I'm using "server only" so it's only a question of limiting the length of the packets inn to the web server to be able to prevent all kind of buffer overflows, as a general principle, and to make some experiments on that.
Best reg Arne.
3 Replies
1091 Views