Hello all. Is there a way to have spoof_source functionallity option in syslog-ng TCP connections? Is this a feature for future syslog-ng releases? Thanks in advance Gerardo Amaya
On Mon, 15 Aug 2005 10:05:05 MDT, Gerardo Amaya said:
Is there a way to have spoof_source functionallity option in syslog-ng TCP connections?
Not if the receiving host properly implements RFC1948. And if it doesn't, you have bigger problems.... (Hint - how do you get the TCP connection through the 3-packet startup handshake if you're spoofing the source? You send a spoofed SYN, it sends a SYN+ACK back to the spoofed address, which will likely toss an RST packet back, and things go pear-shaped really fast.)
On Mon, 2005-08-15 at 15:09 -0400, Valdis.Kletnieks@vt.edu wrote:
On Mon, 15 Aug 2005 10:05:05 MDT, Gerardo Amaya said:
Is there a way to have spoof_source functionallity option in syslog-ng TCP connections?
Not if the receiving host properly implements RFC1948. And if it doesn't, you have bigger problems....
(Hint - how do you get the TCP connection through the 3-packet startup handshake if you're spoofing the source? You send a spoofed SYN, it sends a SYN+ACK back to the spoofed address, which will likely toss an RST packet back, and things go pear-shaped really fast.)
It would be possible if the syslog-ng box is the router that routes the spoofed IP address range. However it is not very simple, as it would require TProxy [1] functionality in the kernel. [1] http://www.balabit.com/products/oss/tproxy/ -- Bazsi
participants (3)
-
Balazs Scheidler
-
Gerardo Amaya
-
Valdis.Kletnieks@vt.edu