[syslog-ng] Question - Spoof_source in TCP()
Balazs Scheidler
bazsi at balabit.hu
Tue Aug 16 09:42:02 CEST 2005
On Mon, 2005-08-15 at 15:09 -0400, Valdis.Kletnieks at vt.edu wrote:
> On Mon, 15 Aug 2005 10:05:05 MDT, Gerardo Amaya said:
> > Is there a way to have spoof_source functionallity option in syslog-ng
> > TCP connections?
>
> Not if the receiving host properly implements RFC1948. And if it doesn't,
> you have bigger problems....
>
> (Hint - how do you get the TCP connection through the 3-packet startup handshake
> if you're spoofing the source? You send a spoofed SYN, it sends a SYN+ACK back
> to the spoofed address, which will likely toss an RST packet back, and things
> go pear-shaped really fast.)
It would be possible if the syslog-ng box is the router that routes the
spoofed IP address range. However it is not very simple, as it would
require TProxy [1] functionality in the kernel.
[1] http://www.balabit.com/products/oss/tproxy/
--
Bazsi
More information about the syslog-ng
mailing list