ack
Sponsored Links
Sponsored Links
Secleted [ 0 ] software to compare
Results 1 - 15 of about 36
Chart::Sequence 0.002
Chart::Sequence is a sequence Perl class. more>>
Chart::Sequence is a sequence Perl class.
SYNOPSIS
use Chart::Sequence;
my $s = Chart::Sequence->new(
Nodes => [qw( A B C )],
Messages => [
[ A => B => "Message 1" ],
[ B => A => "Ack 1" ],
[ B => C => "Message 2" ],
],
);
# or #
my $s = Chart::Sequence->new(
SeqMLInput => "foo.seqml",
);
my $r = Chart::Sequence::Imager->new;
my $png => $r->render( $s => "png" );
$r->render_to_file( $s => "foo.png" );
<<lessSYNOPSIS
use Chart::Sequence;
my $s = Chart::Sequence->new(
Nodes => [qw( A B C )],
Messages => [
[ A => B => "Message 1" ],
[ B => A => "Ack 1" ],
[ B => C => "Message 2" ],
],
);
# or #
my $s = Chart::Sequence->new(
SeqMLInput => "foo.seqml",
);
my $r = Chart::Sequence::Imager->new;
my $png => $r->render( $s => "png" );
$r->render_to_file( $s => "foo.png" );
Download (0.015MB)
Added: 2007-07-27 License: Perl Artistic License Price:
819 downloads
LLgen 1.0
LLgen is a LL parser in the style of yacc. more>>
LLgen is a LL parser in the style of yacc.
The Amsterdam Compiler Kit is fast, lightweight and retargetable compiler suite and toolchain written by Andrew Tanenbaum and Ceriel Jacobs, and was Minix native toolchain.
The ACK was originally closed-source software (that allowed binaries to be distributed for Minix as a special case), but in April 2003 it was released under a BSD open source license.
The ACK achieves maximum portability by using an intermediate byte-code language called EM. Each language front-end produces EM object files, which are then processed through a number of generic optimisers before being translated by a back-end into native machine code.
Unlike gccs intermediate language, EM is a real programming language and could be implemented in hardware; a number of the language front-ends have libraries implemented in EM assembly.
EM is a relatively high-level stack-based machine, and one of the tools supplied with ACK is an interpreter capable of executing EM binaries directly, with a high degree of safety checking. See the em document referenced below for more information.
ACK comes with a generic linker and librarian capable of manipulating files in the ACKs own a.out-based format; it will work on files containing EM code as well as native machine code. (You can not, however, link EM code to native machine code without translating the EM binary first.)
Enhancements:
- LLgen was previously part of the Amsterdam Compiler Kit, but has been split out into a standalone component.
- This version has been updated from its original 1991 vintage source and has a completely rewritten, much more streamlined build system.
<<lessThe Amsterdam Compiler Kit is fast, lightweight and retargetable compiler suite and toolchain written by Andrew Tanenbaum and Ceriel Jacobs, and was Minix native toolchain.
The ACK was originally closed-source software (that allowed binaries to be distributed for Minix as a special case), but in April 2003 it was released under a BSD open source license.
The ACK achieves maximum portability by using an intermediate byte-code language called EM. Each language front-end produces EM object files, which are then processed through a number of generic optimisers before being translated by a back-end into native machine code.
Unlike gccs intermediate language, EM is a real programming language and could be implemented in hardware; a number of the language front-ends have libraries implemented in EM assembly.
EM is a relatively high-level stack-based machine, and one of the tools supplied with ACK is an interpreter capable of executing EM binaries directly, with a high degree of safety checking. See the em document referenced below for more information.
ACK comes with a generic linker and librarian capable of manipulating files in the ACKs own a.out-based format; it will work on files containing EM code as well as native machine code. (You can not, however, link EM code to native machine code without translating the EM binary first.)
Enhancements:
- LLgen was previously part of the Amsterdam Compiler Kit, but has been split out into a standalone component.
- This version has been updated from its original 1991 vintage source and has a completely rewritten, much more streamlined build system.
Download (0.17MB)
Added: 2006-02-06 License: BSD License Price:
1360 downloads
uEagle-ATM 1.3
uEagle-ATM provides a rewritten driver for ADSL USB modems with ADIs Eagle-USB chipset. more>>
uEagle-ATM provides a rewritten driver for ADSL USB modems with ADIs Eagle-USB chipset.
uEagle-ATM is a driver for ADSL USB modems with ADIs Eagle-USB chipset like Sagem Fast 800 or Comtrend CT-350.
This driver has been rewritten to adapt to the usbatm library, which is also used by the driver for Speedtouch 330 and Connexant AccessRunner.
It is based on Damien Bergaminis ueagle driver for *BSD. It works with Linux kernel 2.6.10 and above.
All encapsulations, such as PPPoA, PPPoE, or Routed IP, are taken into account.
Enhancements:
- improve debug trace in order to make easy to solve user problems.
- indent some code
- increase version number
- increase ack timeout for slow system (geode 233MHz where HZ=100)
- reset the cmv ack flag when rebooting
- fix potential null pointer dereference. Found by the Coverity checker.
- fix leak of memory allocated to intr if allocation of sc->urb_int fails. Found by the Coverity checker.
<<lessuEagle-ATM is a driver for ADSL USB modems with ADIs Eagle-USB chipset like Sagem Fast 800 or Comtrend CT-350.
This driver has been rewritten to adapt to the usbatm library, which is also used by the driver for Speedtouch 330 and Connexant AccessRunner.
It is based on Damien Bergaminis ueagle driver for *BSD. It works with Linux kernel 2.6.10 and above.
All encapsulations, such as PPPoA, PPPoE, or Routed IP, are taken into account.
Enhancements:
- improve debug trace in order to make easy to solve user problems.
- indent some code
- increase version number
- increase ack timeout for slow system (geode 233MHz where HZ=100)
- reset the cmv ack flag when rebooting
- fix potential null pointer dereference. Found by the Coverity checker.
- fix leak of memory allocated to intr if allocation of sc->urb_int fails. Found by the Coverity checker.
Download (0.037MB)
Added: 2007-04-16 License: GPL (GNU General Public License) Price:
933 downloads
The Amsterdam Compiler Kit 6.0 pre3
The Amsterdam Compiler Kit is a fast, lightweight and retargetable compiler suite and toolchain. more>>
The Amsterdam Compiler Kit or in short just ACK, is a fast, lightweight and retargetable compiler suite and toolchain written by Andrew Tanenbaum and Ceriel Jacobs, and was Minix native toolchain. The ACK was originally closed-source software (that allowed binaries to be distributed for Minix as a special case), but in April 2003 it was released under a BSD open source license.
The ACK achieves maximum portability by using an intermediate byte-code language called EM. Each language front-end produces EM object files, which are then processed through a number of generic optimisers before being translated by a back-end into native machine code.
Unlike gccs intermediate language, EM is a real programming language and could be implemented in hardware; a number of the language front-ends have libraries implemented in EM assembly. EM is a relatively high-level stack-based machine, and one of the tools supplied with ACK is an interpreter capable of executing EM binaries directly, with a high degree of safety checking. See the em document referenced below for more information.
ACK comes with a generic linker and librarian capable of manipulating files in the ACKs own a.out-based format; it will work on files containing EM code as well as native machine code. (You can not, however, link EM code to native machine code without translating the EM binary first.)
Installation:
To install the ACK, you need to download the source package and compile it.
Version 5.6 compiles cleanly on Linux, but it has had little testing so far. The installation instructions are complex but straightforward provided you follow the instructions. Please read the README; it provides a detailed walk-through of the compilation process, telling you what to type at each stage.
Enhancements:
- Support has been added for generating CP/M binaries using the 8080 code generator.
- The various optimisers have been beaten into shape, and its now possible to use them on all platforms; a basic peephole optimiser has been set up for the 8080.
- The floating point system has been confirmed working on the pc86 and linux386 platforms.
- ANSI compatibility has been improved, binary sizes have been reduced, and there are many bugfixes everywhere.
<<lessThe ACK achieves maximum portability by using an intermediate byte-code language called EM. Each language front-end produces EM object files, which are then processed through a number of generic optimisers before being translated by a back-end into native machine code.
Unlike gccs intermediate language, EM is a real programming language and could be implemented in hardware; a number of the language front-ends have libraries implemented in EM assembly. EM is a relatively high-level stack-based machine, and one of the tools supplied with ACK is an interpreter capable of executing EM binaries directly, with a high degree of safety checking. See the em document referenced below for more information.
ACK comes with a generic linker and librarian capable of manipulating files in the ACKs own a.out-based format; it will work on files containing EM code as well as native machine code. (You can not, however, link EM code to native machine code without translating the EM binary first.)
Installation:
To install the ACK, you need to download the source package and compile it.
Version 5.6 compiles cleanly on Linux, but it has had little testing so far. The installation instructions are complex but straightforward provided you follow the instructions. Please read the README; it provides a detailed walk-through of the compilation process, telling you what to type at each stage.
Enhancements:
- Support has been added for generating CP/M binaries using the 8080 code generator.
- The various optimisers have been beaten into shape, and its now possible to use them on all platforms; a basic peephole optimiser has been set up for the 8080.
- The floating point system has been confirmed working on the pc86 and linux386 platforms.
- ANSI compatibility has been improved, binary sizes have been reduced, and there are many bugfixes everywhere.
Download (1.1MB)
Added: 2007-05-01 License: BSD License Price:
908 downloads
Synscan 3.1
Synscan is a tool to determine the TCP ports that are in an OPEN state. more>>
Another aspect of enumeration of hosts is the determining of TCP ports in an OPEN state, that is to say TCP ports which respond to SYN packets with a Syn and the ACK flag set, Syn-Ack.
Synscan is impressively fast at determinining this via the use of two processes, one to send the Syn packets and one to listen for the responses. NB: At first start with low settings as it can impact systems if it is run too fast. The portparse utility is also a useful little tool!
Should compile cleanly on IRIX, Solaris and Linux if you have
libpcap installed.
Licensed under the GPL version 2. If you modify this app for your own needs, i would appreciate a copy of the changes being emailed to me.
Edit synscan.h to configure a few parameters before compiling.
Synscan works using 2 programs..
The "synscan" tool will send SYN packets.
And a second program, either synscand or sslog will listen for the resulting SYN/ACK packets to determine if ports are open.
Compiling this tool will create 3 binaries:
synscan - for sending SYN packets
synscand - logs replies and performs protocol specific checks
sslog - logs replies and shows ip:port results
<<lessSynscan is impressively fast at determinining this via the use of two processes, one to send the Syn packets and one to listen for the responses. NB: At first start with low settings as it can impact systems if it is run too fast. The portparse utility is also a useful little tool!
Should compile cleanly on IRIX, Solaris and Linux if you have
libpcap installed.
Licensed under the GPL version 2. If you modify this app for your own needs, i would appreciate a copy of the changes being emailed to me.
Edit synscan.h to configure a few parameters before compiling.
Synscan works using 2 programs..
The "synscan" tool will send SYN packets.
And a second program, either synscand or sslog will listen for the resulting SYN/ACK packets to determine if ports are open.
Compiling this tool will create 3 binaries:
synscan - for sending SYN packets
synscand - logs replies and performs protocol specific checks
sslog - logs replies and shows ip:port results
Download (0.033MB)
Added: 2007-04-21 License: GPL (GNU General Public License) Price:
920 downloads
Sonar 1.2.2
sonar is a network reconnaissance utility. more>>
This software is used for the automatic probing of internet hosts at a timed interval (reconnaisance), checking host connectivity, especially ICMP support (information Gathering), automated running of third party tools when said host is online (automated testing).
Use of sonar shifts responsibility for the users actions solely to that user him or herself. In other words, the author cannot be held responsible for your actions.
Examples
Run nmap with a vanilla connect scan as soon as www.google.com is online. Check every 60 seconds, go into background, and log to probe.log:
sonar -c -1 --scan_delay=60 -f --output_plugin=L
-p fprobe.log -pe"nmap -sT www.google.com"
-sI www.google.com
Check red0xs site for online status 4 time in a row (just like ping):
sonar -sI genbukan.no-ip.com
Send the contents of payload.dat to www.secursite.com every 5 minutes:
sonar -c -1 --scan_delay=300 -p ppayload.dat -sI
www.secursite.com
Send an ACK probe to googles webserver every second.
sonar --scan_delay=1 -c -1 -sA www.google.com -pp80
Enhancements:
- src/mutex.h, src/plugin.h, src/types.h, libltdl/configure, plugins/network_icmp.h, doc/Makefile.in, Makefile.in, doc/Makefile.am: Major documentation update, more to come.
- plugins/rfc793.h, plugins/rfc793.c: Removed the bloody thread (which was causing so many problems) from the ack scan
<<lessUse of sonar shifts responsibility for the users actions solely to that user him or herself. In other words, the author cannot be held responsible for your actions.
Examples
Run nmap with a vanilla connect scan as soon as www.google.com is online. Check every 60 seconds, go into background, and log to probe.log:
sonar -c -1 --scan_delay=60 -f --output_plugin=L
-p fprobe.log -pe"nmap -sT www.google.com"
-sI www.google.com
Check red0xs site for online status 4 time in a row (just like ping):
sonar -sI genbukan.no-ip.com
Send the contents of payload.dat to www.secursite.com every 5 minutes:
sonar -c -1 --scan_delay=300 -p ppayload.dat -sI
www.secursite.com
Send an ACK probe to googles webserver every second.
sonar --scan_delay=1 -c -1 -sA www.google.com -pp80
Enhancements:
- src/mutex.h, src/plugin.h, src/types.h, libltdl/configure, plugins/network_icmp.h, doc/Makefile.in, Makefile.in, doc/Makefile.am: Major documentation update, more to come.
- plugins/rfc793.h, plugins/rfc793.c: Removed the bloody thread (which was causing so many problems) from the ack scan
Download (0.48MB)
Added: 2005-09-21 License: GPL (GNU General Public License) Price:
1550 downloads
Net::Stomp 0.32
Net::Stomp is a Streaming Text Orientated Messaging Protocol Client. more>>
Net::Stomp is a Streaming Text Orientated Messaging Protocol Client.
SYNOPSIS
# send a message to the queue foo
use Net::Stomp;
my $stomp = Net::Stomp->new( { hostname => localhost, port => 61613 } );
$stomp->connect( { login => hello, passcode => there } );
$stomp->send(
{ destination => /queue/foo, body => test message } );
$stomp->disconnect;
# subscribe to messages from the queue foo
use Net::Stomp;
my $stomp = Net::Stomp->new( { hostname => localhost, port => 61613 } );
$stomp->connect( { login => hello, passcode => there } );
$stomp->subscribe(
{ destination => /queue/foo,
ack => client,
activemq.prefetchSize => 1
}
);
while (1) {
my $frame = $stomp->receive_frame;
warn $frame->body; # do something here
$stomp->ack( { frame => $frame } );
}
$stomp->disconnect;
# write your own frame
my $frame = Net::Stomp::Frame->new(
{ command => $command, headers => $conf, body => $body } );
$self->send_frame($frame);
This module allows you to write a Stomp client. Stomp is the Streaming Text Orientated Messaging Protocol (or the Protocol Briefly Known as TTMP and Represented by the symbol :ttmp). Its a simple and easy to implement protocol for working with Message Orientated Middleware from any language.
Net::Stomp is useful for talking to Apache ActiveMQ, an open source (Apache 2.0 licensed) Java Message Service 1.1 (JMS) message broker packed with many enterprise features.
A Stomp frame consists of a command, a series of headers and a body - see Net::Stomp::Frame for more details.
<<lessSYNOPSIS
# send a message to the queue foo
use Net::Stomp;
my $stomp = Net::Stomp->new( { hostname => localhost, port => 61613 } );
$stomp->connect( { login => hello, passcode => there } );
$stomp->send(
{ destination => /queue/foo, body => test message } );
$stomp->disconnect;
# subscribe to messages from the queue foo
use Net::Stomp;
my $stomp = Net::Stomp->new( { hostname => localhost, port => 61613 } );
$stomp->connect( { login => hello, passcode => there } );
$stomp->subscribe(
{ destination => /queue/foo,
ack => client,
activemq.prefetchSize => 1
}
);
while (1) {
my $frame = $stomp->receive_frame;
warn $frame->body; # do something here
$stomp->ack( { frame => $frame } );
}
$stomp->disconnect;
# write your own frame
my $frame = Net::Stomp::Frame->new(
{ command => $command, headers => $conf, body => $body } );
$self->send_frame($frame);
This module allows you to write a Stomp client. Stomp is the Streaming Text Orientated Messaging Protocol (or the Protocol Briefly Known as TTMP and Represented by the symbol :ttmp). Its a simple and easy to implement protocol for working with Message Orientated Middleware from any language.
Net::Stomp is useful for talking to Apache ActiveMQ, an open source (Apache 2.0 licensed) Java Message Service 1.1 (JMS) message broker packed with many enterprise features.
A Stomp frame consists of a command, a series of headers and a body - see Net::Stomp::Frame for more details.
Download (0.006MB)
Added: 2007-06-23 License: Perl Artistic License Price:
854 downloads
Business::PayPal::SDK 0.14
Business::PayPal::SDK is an interface to paypals SDKs. more>>
Business::PayPal::SDK is an interface to paypals SDKs.
SYNOPSIS
use Business::PayPal::SDK;
my $pp = new Business::PayPal::SDK(
{
paypal_apiid => "sdk-seller_api1.sdk.com",
paypal_apipw => "12345678",
paypal_cert => "paypal_java_sdk/samples/Cert/sdk-seller.p12",
paypal_certpw => "password",
paypal_env => "sandbox",
java_sdk_dir => "/path/to/paypals/java/sdk",
}
);
my $res = $pp->SetExpressCheckout(
{
OrderTotal => 10.00,
ReturnURL => http:://mydomain.com/myreturn,
CancelURL => http:://mydomain.com/mycancel,
}
);
print $res->{token};
Business::PayPal::SDK is a perl interface to the SDK provided by paypal (http://www.paypal.com/sdk). You can use this module to implement paypal pro and paypal express transactions in perl. On the back end this modules uses Inline::Java to interface directly with the paypals java sdk. Consequently you will need to get a J2SDK and Inline::Java installed. This was done for 2 reasons. 1) Speed of development, didnt have to deal with all the SOAP stuff. 2) Easier maintanance regarding future changes. That is to say, I only have to make sure I keep this compatiable with paypals SDK, not thier underlying protocol changes.
This document assumes you have an understanding of the java SDK and API provided by PayPal.
All methods take a single hashref as an argument. All methods return a hashref, or undef if there is an internal failure of some sort. Check $ret->{ack} to see if the call to PayPal was successful. If $ret->{ack} is not Success than you can check the $res->{ErrorCodes}, this will be an hashref with the key being the error code from paypal and the value is the getLongMessage from the error. Check $obj->error for description of failure.
<<lessSYNOPSIS
use Business::PayPal::SDK;
my $pp = new Business::PayPal::SDK(
{
paypal_apiid => "sdk-seller_api1.sdk.com",
paypal_apipw => "12345678",
paypal_cert => "paypal_java_sdk/samples/Cert/sdk-seller.p12",
paypal_certpw => "password",
paypal_env => "sandbox",
java_sdk_dir => "/path/to/paypals/java/sdk",
}
);
my $res = $pp->SetExpressCheckout(
{
OrderTotal => 10.00,
ReturnURL => http:://mydomain.com/myreturn,
CancelURL => http:://mydomain.com/mycancel,
}
);
print $res->{token};
Business::PayPal::SDK is a perl interface to the SDK provided by paypal (http://www.paypal.com/sdk). You can use this module to implement paypal pro and paypal express transactions in perl. On the back end this modules uses Inline::Java to interface directly with the paypals java sdk. Consequently you will need to get a J2SDK and Inline::Java installed. This was done for 2 reasons. 1) Speed of development, didnt have to deal with all the SOAP stuff. 2) Easier maintanance regarding future changes. That is to say, I only have to make sure I keep this compatiable with paypals SDK, not thier underlying protocol changes.
This document assumes you have an understanding of the java SDK and API provided by PayPal.
All methods take a single hashref as an argument. All methods return a hashref, or undef if there is an internal failure of some sort. Check $ret->{ack} to see if the call to PayPal was successful. If $ret->{ack} is not Success than you can check the $res->{ErrorCodes}, this will be an hashref with the key being the error code from paypal and the value is the getLongMessage from the error. Check $obj->error for description of failure.
Download (0.009MB)
Added: 2007-06-07 License: Perl Artistic License Price:
871 downloads
TCP Knocking 0.1
TCP Knocking provides a port knocking implementation. more>>
TCP Knocking provides a port knocking implementation.
Often a secure system needs a port open so that only authorized persons can access a particular service and also the service should not exposed to attackers and worms that may use vulnerabilities that exist in the listening server. Port knocking is designed to be used as a complementary service to the existing authentication mechanism. But one of the biggest problems with port knocking is manipulating the firewall with timeouts.
When the correct knock sequence is sent, the firewall is modified for couple of seconds. Having the firewall open automatically for a time period will make any system administrator uncomfortable. TCP knocking attempts to solve the problem by incorporating the knock into the TCP handshake. Tcp knocking is similar to port knocking, but instead sending UDP packets with secret ports, the TCP handshake packets must include secrete codes. It is at least as secure as port knocking and it can be made secure with more hardening.
Modified TCP handshake:
In normal TCP handshake, the client sends the syn packet and chooses a random initial sequence number. The server responds with a packet that has both syn and ack flags set, choosing a random
The modified TCP handshake uses the empty fields in the header. The server does not respond to connection requests without a special code generated along with the syn packet. The server also encrypts the ISN in the ack packet (2) and the final packet of the three-way handshake must have the correct acknowledgment for the servers ISN. The system is further protected from brute-force attacks by closing the connection if the first attempt for the third packet does not have the expected acknowledgment sequence.
Also, rather than use conventional encryption techniques like HMAC for verification, this system uses a file with random numbers as the key. This is because of the limited unused space available in the TCP/IP header which makes HMAC very weak. By using a shared file, the length of the key can be much greater than traditional systems and even though some parts of the key can be revealed by attacks, the server can protect itself from replay attacks.
The handshake:
1) Syn
The syn packet does not use the 32 bit acknowledgment field in the TCP header as it the the first packet to initiate the connection. Further the 16 bit IPID can be used to transmit information. In the current implementation only the 32 bit acknowledgment field is used. Currently the 32 bit ack is derived from a 64 KB file which contains random numbers. The ISN and the source IP address along with the random numbers are used to generate this value.
2) Syn/Ack
The ISN is encrypted using the random numbers from the 64 KB file using the destination IP address as well as a 16 bit random number used as IPID. I do not have code for this part yet.
3) Ack
The client decrypts the syn number from the encrypted syn, the key file, the 16 bit IPID and its own IP address and sends the ack packet. The server closes all connections from the client for couple of minutes if it sends a wrong ack value. Part of the security relies on the fact that the ISN generated by Linux 2.6 is fairly random.
Implementation:
I have implemented only the first part, which is the server expecting secret code along with the first syn packet from the client. Hence it is very possible to brute-force the server. Also the system is designed with the second phase in mind, which is the encrypted Initial Sequence Number in the ack packet and closing the connection if the correct ack is not sent on the first try. I do not have an implementation for that yet. The security will be increased greatly when the second phase is incorporated. Also the ability to detect brute-force attacks can be added to this system.
But the current system can be used for protecting the server from worms and random scanning. The use-case is similar to port knocking but it does not use the ugly system of opening the firewall for a couple of seconds. Vanilla port knocking is susceptible to brute-force attacks as well. Besides, inserting a kernel module to just ssh into your server will increase your mad sysadmin points.
Enhancements:
- TCP knocking with Phase 1 of the protocol was implemented.
<<lessOften a secure system needs a port open so that only authorized persons can access a particular service and also the service should not exposed to attackers and worms that may use vulnerabilities that exist in the listening server. Port knocking is designed to be used as a complementary service to the existing authentication mechanism. But one of the biggest problems with port knocking is manipulating the firewall with timeouts.
When the correct knock sequence is sent, the firewall is modified for couple of seconds. Having the firewall open automatically for a time period will make any system administrator uncomfortable. TCP knocking attempts to solve the problem by incorporating the knock into the TCP handshake. Tcp knocking is similar to port knocking, but instead sending UDP packets with secret ports, the TCP handshake packets must include secrete codes. It is at least as secure as port knocking and it can be made secure with more hardening.
Modified TCP handshake:
In normal TCP handshake, the client sends the syn packet and chooses a random initial sequence number. The server responds with a packet that has both syn and ack flags set, choosing a random
The modified TCP handshake uses the empty fields in the header. The server does not respond to connection requests without a special code generated along with the syn packet. The server also encrypts the ISN in the ack packet (2) and the final packet of the three-way handshake must have the correct acknowledgment for the servers ISN. The system is further protected from brute-force attacks by closing the connection if the first attempt for the third packet does not have the expected acknowledgment sequence.
Also, rather than use conventional encryption techniques like HMAC for verification, this system uses a file with random numbers as the key. This is because of the limited unused space available in the TCP/IP header which makes HMAC very weak. By using a shared file, the length of the key can be much greater than traditional systems and even though some parts of the key can be revealed by attacks, the server can protect itself from replay attacks.
The handshake:
1) Syn
The syn packet does not use the 32 bit acknowledgment field in the TCP header as it the the first packet to initiate the connection. Further the 16 bit IPID can be used to transmit information. In the current implementation only the 32 bit acknowledgment field is used. Currently the 32 bit ack is derived from a 64 KB file which contains random numbers. The ISN and the source IP address along with the random numbers are used to generate this value.
2) Syn/Ack
The ISN is encrypted using the random numbers from the 64 KB file using the destination IP address as well as a 16 bit random number used as IPID. I do not have code for this part yet.
3) Ack
The client decrypts the syn number from the encrypted syn, the key file, the 16 bit IPID and its own IP address and sends the ack packet. The server closes all connections from the client for couple of minutes if it sends a wrong ack value. Part of the security relies on the fact that the ISN generated by Linux 2.6 is fairly random.
Implementation:
I have implemented only the first part, which is the server expecting secret code along with the first syn packet from the client. Hence it is very possible to brute-force the server. Also the system is designed with the second phase in mind, which is the encrypted Initial Sequence Number in the ack packet and closing the connection if the correct ack is not sent on the first try. I do not have an implementation for that yet. The security will be increased greatly when the second phase is incorporated. Also the ability to detect brute-force attacks can be added to this system.
But the current system can be used for protecting the server from worms and random scanning. The use-case is similar to port knocking but it does not use the ugly system of opening the firewall for a couple of seconds. Vanilla port knocking is susceptible to brute-force attacks as well. Besides, inserting a kernel module to just ssh into your server will increase your mad sysadmin points.
Enhancements:
- TCP knocking with Phase 1 of the protocol was implemented.
Download (0.005MB)
Added: 2006-12-06 License: GPL (GNU General Public License) Price:
1054 downloads
okons bandwidth manager 2.1
okons bandwidth manager (aka. obwman) is a simple tool for efficient traffic shaping. more>>
okons bandwidth manager (aka. obwman) is a simple tool for efficient traffic shaping. okons bandwidth manager aims to give a fair share of bandwidth to each host while imposing particular rules.
Configuration of obwman is straightforward and it is almost maintenance free., as it detects automatically hosts on the network. Obwman prioritises traffic of HTTP, TCP ACK and TCP initiate session.
Main features:
- fair allocation of bandwidth
- enforce minimum and maximum speed
- support for aggregated links (uplink agnostic)
- automatic detection of hosts on the network
- support for Squid proxy
- free (available under GNU General Public License ).
<<lessConfiguration of obwman is straightforward and it is almost maintenance free., as it detects automatically hosts on the network. Obwman prioritises traffic of HTTP, TCP ACK and TCP initiate session.
Main features:
- fair allocation of bandwidth
- enforce minimum and maximum speed
- support for aggregated links (uplink agnostic)
- automatic detection of hosts on the network
- support for Squid proxy
- free (available under GNU General Public License ).
Download (0.085MB)
Added: 2006-12-27 License: GPL (GNU General Public License) Price:
1037 downloads
Berkley Snoop for Linux 0.3 RC4
Berkley Snoop for Linux is a module which adds support for the Snoop protocol. more>>
Berkley Snoop for Linux is a module which adds support for the Snoop protocol, a TCP-aware link layer protocol designed that can improve the performance of TCP over networks of wired and single-hop wireless links.
While TCP adapts well to network congestion, it does not adequately handle the vagaries of wireless media. In this thesis, we address these challenges in detail and design solutions to them. These solutions incorporate link-layer techniques as well as enhancements to TCP at the sender and receiver. The Snoop protocol is a TCP-aware link layer protocol designed to improve the performance of TCP over networks of wired and single-hop wireless links.
The implementation is for kernels of 2.6.x series. This software is intended to use on routers acting between big fat pipe(BFP) link and wireless link.
The problem: The wireless link is error prone by its nature and BFP links such as satellite one has very big round-trip time. When error occurs on wireless segment it causes in speed reduction because the TCP protocol on sending side treats this error as link congestion although the error was just a temporary link quality loss and the connection cannt recover its speed.
The fix: The module will cache TCP segmets passing to host on wireless segment until the ACK(nowledgmet) is received or timeout expired. In case of timeout the segment will be retransmitted again. And by the way the module will drop all DUP(licate) ACK(nowledgmets) caused by packet loss on wireless segment and prevent the reduction of speed of flow from the host beyond the satellite link. The module works now only with connections initiated from wireless hosts.
Enhancements:
- fixed issues with improper use of locks & memory allocation the memory allocates now with GFP_ATOMIC priority
<<lessWhile TCP adapts well to network congestion, it does not adequately handle the vagaries of wireless media. In this thesis, we address these challenges in detail and design solutions to them. These solutions incorporate link-layer techniques as well as enhancements to TCP at the sender and receiver. The Snoop protocol is a TCP-aware link layer protocol designed to improve the performance of TCP over networks of wired and single-hop wireless links.
The implementation is for kernels of 2.6.x series. This software is intended to use on routers acting between big fat pipe(BFP) link and wireless link.
The problem: The wireless link is error prone by its nature and BFP links such as satellite one has very big round-trip time. When error occurs on wireless segment it causes in speed reduction because the TCP protocol on sending side treats this error as link congestion although the error was just a temporary link quality loss and the connection cannt recover its speed.
The fix: The module will cache TCP segmets passing to host on wireless segment until the ACK(nowledgmet) is received or timeout expired. In case of timeout the segment will be retransmitted again. And by the way the module will drop all DUP(licate) ACK(nowledgmets) caused by packet loss on wireless segment and prevent the reduction of speed of flow from the host beyond the satellite link. The module works now only with connections initiated from wireless hosts.
Enhancements:
- fixed issues with improper use of locks & memory allocation the memory allocates now with GFP_ATOMIC priority
Download (0.015MB)
Added: 2006-04-20 License: GPL (GNU General Public License) Price:
1287 downloads
Configuration with no services supported
Configuration with no services supported script is for a single host firewall configuration with no services supported. more>>
Configuration with no services supported script is for a single host firewall configuration with no services supported by the firewall machine itself.
Sample:
# USER CONFIGURABLE SECTION
# The name and location of the ipchains utility.
IPTABLES=iptables
# The path to the ipchains executable.
PATH="/usr/local/sbin"
# Our internal network address space and its supporting network device.
OURNET="10.5.0.0/24"
OURBCAST="10.5.0.255"
OURDEV="eth0"
# The outside address and the network device that supports it.
ANYADDR="0/0"
ANYDEV="ppp0"
# The TCP services we wish to allow to pass - "" empty means all ports
# note: comma separated
TCPIN="ssh,ftp,ftp-data"
TCPOUT="smtp,www,ssh,telnet,ftp,ftp-data,irc,http"
# The UDP services we wish to allow to pass - "" empty means all ports
# note: comma separated
UDPIN="domain"
UDPOUT="domain"
# The ICMP services we wish to allow to pass - "" empty means all types
# ref: /usr/include/netinet/ip_icmp.h for type numbers
# note: comma separated
ICMPIN="0,3,11"
ICMPOUT="8,3,11"
# Logging; uncomment the following line to enable logging of datagrams
# that are blocked by the firewall.
# LOGGING=1
# END USER CONFIGURABLE SECTION
####################################
# Flush the Input table rules
echo -n Flushing forward... && {
$IPTABLES -F FORWARD
} && echo done
# We want to deny incoming access by default.
# echo -n Denying incoming access... && {
# $IPTABLES -P FORWARD drop
# } && echo done
# Drop all datagrams destined for this host received from outside.
echo -n Dropping incoming datagrams... && {
$IPTABLES -A INPUT -i $ANYDEV -j DROP
} && echo done
# SPOOFING
# We should not accept any datagrams with a source address matching ours
# from the outside, so we deny them.
echo -n Preventing spoofing... && {
$IPTABLES -A FORWARD -s $OURNET -i $ANYDEV -j DROP
} && echo done
# SMURF
# Disallow ICMP to our broadcast address to prevent "Smurf" style attack.
echo -n Preventing SMURFs... && {
$IPTABLES -A FORWARD -p icmp -i $ANYDEV -d $OURNET -j DROP
} && echo done
# We should accept fragments, in iptables we must do this explicitly.
echo -n Accepting fragments... && {
$IPTABLES -A FORWARD -f -j ACCEPT
} && echo done
# TCP
# We will accept all TCP datagrams belonging to an existing connection
# (i.e. having the ACK bit set) for the TCP ports were allowing through.
# This should catch more than 95 % of all valid TCP packets.
echo -n Accepting valid incoming tcp datagrams on existing connections... && {
$IPTABLES -A FORWARD -m multiport -p tcp -d $OURNET --dports $TCPIN ! --tcp-flags SYN,ACK ACK -j ACCEPT
} && echo done
echo -n Accepting valid outgoing tcp datagrams on existing connections... && {
$IPTABLES -A FORWARD -m multiport -p tcp -s $OURNET --sports $TCPIN ! --tcp-flags SYN,ACK ACK -j ACCEPT
} && echo done
# TCP - INCOMING CONNECTIONS
# We will accept connection requests from the outside only on the
# allowed TCP ports.
echo -n Accepting incoming tcp connections on allowed ports... && {
$IPTABLES -A FORWARD -m multiport -p tcp -i $ANYDEV -d $OURNET --dports $TCPIN --syn -j ACCEPT
} && echo done
# TCP - OUTGOING CONNECTIONS
# We will accept all outgoing tcp connection requests on the allowed TCP ports.
echo -n Accepting outgoing traffic on allowed tcp ports... && {
$IPTABLES -A FORWARD -m multiport -p tcp -i $OURDEV -d $ANYADDR --dports $TCPOUT --syn -j ACCEPT
} && echo done
# UDP - INCOMING
# allow UDP datagrams in on the allowed ports and back.
echo -n Allowing UDP datagrams in on the allowed ports and back... && {
$IPTABLES -A FORWARD -m multiport -p udp -i $ANYDEV -d $OURNET --dports $UDPIN -j ACCEPT
$IPTABLES -A FORWARD -m multiport -p udp -i $ANYDEV -s $OURNET --sports $UDPIN -j ACCEPT
} && echo done
# UDP - OUTGOING
# We will allow UDP datagrams out to the allowed ports and back.
echo -n Allowing UDP datagrams out on the allowed ports and back... && {
$IPTABLES -A FORWARD -m multiport -p udp -i $OURDEV -d $ANYADDR --dports $UDPOUT -j ACCEPT
$IPTABLES -A FORWARD -m multiport -p udp -i $OURDEV -s $ANYADDR --sports $UDPOUT -j ACCEPT
} && echo done
# ICMP - INCOMING
# We will allow ICMP datagrams in of the allowed types.
# echo -n Allowing ICMP datagrams in of the allowed types... && {
# $IPTABLES -A FORWARD -p icmp -i $ANYDEV -d $OURNET --icmp-type $ICMPIN -j ACCEPT
# } && echo done
# ICMP - OUTGOING
# We will allow ICMP datagrams out of the allowed types.
# echo -n Allowing ICMP datagrams out of the allowed types... && {
# $IPTABLES -A FORWARD -p icmp -i $OURDEV -d $ANYADDR --icmp-type $ICMPOUT -j ACCEPT
# } && echo done
# DEFAULT and LOGGING
# All remaining datagrams fall through to the default
# rule and are dropped. They will be logged if youve
# configured the LOGGING variable above.
#
# DoS
# enabling Syn-flood protection
echo -n Enabling Syn-flood protection... && {
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
} && echo done
# Enabling Furtive port scanner protection
echo -n Enabling Furtive port scanner protection... && {
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
} && echo done
# Enabling ping of death protection
echo -n Enabling ping of death protection... && {
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
} && echo done
if [ "$LOGGING" ]
then
# Log barred TCP
$IPTABLES -A FORWARD -m tcp -p tcp -j LOG
# Log barred UDP
$IPTABLES -A FORWARD -m udp -p udp -j LOG
# Log barred ICMP
$IPTABLES -A FORWARD -m udp -p icmp -j LOG
fi
#
# end.
<<lessSample:
# USER CONFIGURABLE SECTION
# The name and location of the ipchains utility.
IPTABLES=iptables
# The path to the ipchains executable.
PATH="/usr/local/sbin"
# Our internal network address space and its supporting network device.
OURNET="10.5.0.0/24"
OURBCAST="10.5.0.255"
OURDEV="eth0"
# The outside address and the network device that supports it.
ANYADDR="0/0"
ANYDEV="ppp0"
# The TCP services we wish to allow to pass - "" empty means all ports
# note: comma separated
TCPIN="ssh,ftp,ftp-data"
TCPOUT="smtp,www,ssh,telnet,ftp,ftp-data,irc,http"
# The UDP services we wish to allow to pass - "" empty means all ports
# note: comma separated
UDPIN="domain"
UDPOUT="domain"
# The ICMP services we wish to allow to pass - "" empty means all types
# ref: /usr/include/netinet/ip_icmp.h for type numbers
# note: comma separated
ICMPIN="0,3,11"
ICMPOUT="8,3,11"
# Logging; uncomment the following line to enable logging of datagrams
# that are blocked by the firewall.
# LOGGING=1
# END USER CONFIGURABLE SECTION
####################################
# Flush the Input table rules
echo -n Flushing forward... && {
$IPTABLES -F FORWARD
} && echo done
# We want to deny incoming access by default.
# echo -n Denying incoming access... && {
# $IPTABLES -P FORWARD drop
# } && echo done
# Drop all datagrams destined for this host received from outside.
echo -n Dropping incoming datagrams... && {
$IPTABLES -A INPUT -i $ANYDEV -j DROP
} && echo done
# SPOOFING
# We should not accept any datagrams with a source address matching ours
# from the outside, so we deny them.
echo -n Preventing spoofing... && {
$IPTABLES -A FORWARD -s $OURNET -i $ANYDEV -j DROP
} && echo done
# SMURF
# Disallow ICMP to our broadcast address to prevent "Smurf" style attack.
echo -n Preventing SMURFs... && {
$IPTABLES -A FORWARD -p icmp -i $ANYDEV -d $OURNET -j DROP
} && echo done
# We should accept fragments, in iptables we must do this explicitly.
echo -n Accepting fragments... && {
$IPTABLES -A FORWARD -f -j ACCEPT
} && echo done
# TCP
# We will accept all TCP datagrams belonging to an existing connection
# (i.e. having the ACK bit set) for the TCP ports were allowing through.
# This should catch more than 95 % of all valid TCP packets.
echo -n Accepting valid incoming tcp datagrams on existing connections... && {
$IPTABLES -A FORWARD -m multiport -p tcp -d $OURNET --dports $TCPIN ! --tcp-flags SYN,ACK ACK -j ACCEPT
} && echo done
echo -n Accepting valid outgoing tcp datagrams on existing connections... && {
$IPTABLES -A FORWARD -m multiport -p tcp -s $OURNET --sports $TCPIN ! --tcp-flags SYN,ACK ACK -j ACCEPT
} && echo done
# TCP - INCOMING CONNECTIONS
# We will accept connection requests from the outside only on the
# allowed TCP ports.
echo -n Accepting incoming tcp connections on allowed ports... && {
$IPTABLES -A FORWARD -m multiport -p tcp -i $ANYDEV -d $OURNET --dports $TCPIN --syn -j ACCEPT
} && echo done
# TCP - OUTGOING CONNECTIONS
# We will accept all outgoing tcp connection requests on the allowed TCP ports.
echo -n Accepting outgoing traffic on allowed tcp ports... && {
$IPTABLES -A FORWARD -m multiport -p tcp -i $OURDEV -d $ANYADDR --dports $TCPOUT --syn -j ACCEPT
} && echo done
# UDP - INCOMING
# allow UDP datagrams in on the allowed ports and back.
echo -n Allowing UDP datagrams in on the allowed ports and back... && {
$IPTABLES -A FORWARD -m multiport -p udp -i $ANYDEV -d $OURNET --dports $UDPIN -j ACCEPT
$IPTABLES -A FORWARD -m multiport -p udp -i $ANYDEV -s $OURNET --sports $UDPIN -j ACCEPT
} && echo done
# UDP - OUTGOING
# We will allow UDP datagrams out to the allowed ports and back.
echo -n Allowing UDP datagrams out on the allowed ports and back... && {
$IPTABLES -A FORWARD -m multiport -p udp -i $OURDEV -d $ANYADDR --dports $UDPOUT -j ACCEPT
$IPTABLES -A FORWARD -m multiport -p udp -i $OURDEV -s $ANYADDR --sports $UDPOUT -j ACCEPT
} && echo done
# ICMP - INCOMING
# We will allow ICMP datagrams in of the allowed types.
# echo -n Allowing ICMP datagrams in of the allowed types... && {
# $IPTABLES -A FORWARD -p icmp -i $ANYDEV -d $OURNET --icmp-type $ICMPIN -j ACCEPT
# } && echo done
# ICMP - OUTGOING
# We will allow ICMP datagrams out of the allowed types.
# echo -n Allowing ICMP datagrams out of the allowed types... && {
# $IPTABLES -A FORWARD -p icmp -i $OURDEV -d $ANYADDR --icmp-type $ICMPOUT -j ACCEPT
# } && echo done
# DEFAULT and LOGGING
# All remaining datagrams fall through to the default
# rule and are dropped. They will be logged if youve
# configured the LOGGING variable above.
#
# DoS
# enabling Syn-flood protection
echo -n Enabling Syn-flood protection... && {
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
} && echo done
# Enabling Furtive port scanner protection
echo -n Enabling Furtive port scanner protection... && {
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
} && echo done
# Enabling ping of death protection
echo -n Enabling ping of death protection... && {
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
} && echo done
if [ "$LOGGING" ]
then
# Log barred TCP
$IPTABLES -A FORWARD -m tcp -p tcp -j LOG
# Log barred UDP
$IPTABLES -A FORWARD -m udp -p udp -j LOG
# Log barred ICMP
$IPTABLES -A FORWARD -m udp -p icmp -j LOG
fi
#
# end.
Download (MB)
Added: 2007-02-14 License: GPL (GNU General Public License) Price:
982 downloads
Lutel Firewall 0.99
LutelWall (formerly known as Lutel Firewall) is high-level linux firewall configuration tool. more>>
LutelWall (formerly known as Lutel Firewall) is high-level linux firewall configuration tool. It uses human-readable and easy to understand configuration to set up Netfilter in most secure way. Its flexibility allows firewall admins build from very simple, single-homed firewalls, to most complex ones - with multiple subnets, DMZs and traffic redirections. It can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone system. Configuration method of this firewall is made to be as simple as possible without loosing Netfilter flexibility and its security facilities.
Main features:
- flexible control over traffic using rule set
- user-defined protocols support
- support for any kind multiple external and internal interaces (and aliases)
- automated MASQUERADE / SNAT support
- easy to set up DNAT (transparent proxy, redirections to LAN/DMZ etc.)
- rate limit extensions
- packet marking for 3rd party shapers
- TOS (Type of Service) traffic optimizer
- both passive and active FTP support
- DHCP support
- can work as "workstation" firewa
- stateful TCP connection tracking with restrictive TCP chain
- blocking all stealth mode scans (FIN, Xmas Tree, Null, Windows scan or ACK scan modes (nmap -sF -sX -sN -sW -sA)
- blocking IP protocol scans (nmap -sO)
- blocking UDP scans (nmap -sU)
- blocking identification via TCP/IP fingerprinting (nmap -O)
- anti-spoof protection, including protection for aliases
- anti-smurf protection
- TCP SYN Flood protection
- UDP / ICMP Flood protection
- IANA reserved addresses checking
- SYSCTL parameters set for increased strength
- logging stealth scans (FIN, Xmas Tree, Null), ACK scan modes (nmap -sF -sX -sN), IP protocol scans (nmap -sO), UDP scans (nmap -sU), nmap fingerprinting attempts.
- autodetect of connection type (static/dynamic, external/internal)
- auto update of firewall tool
- auto update IANA reserved list
- display firewall statistics in iptables native, csv or html format
- easy deployment on all distributions
Enhancements:
- fixed iptables version checking
<<lessMain features:
- flexible control over traffic using rule set
- user-defined protocols support
- support for any kind multiple external and internal interaces (and aliases)
- automated MASQUERADE / SNAT support
- easy to set up DNAT (transparent proxy, redirections to LAN/DMZ etc.)
- rate limit extensions
- packet marking for 3rd party shapers
- TOS (Type of Service) traffic optimizer
- both passive and active FTP support
- DHCP support
- can work as "workstation" firewa
- stateful TCP connection tracking with restrictive TCP chain
- blocking all stealth mode scans (FIN, Xmas Tree, Null, Windows scan or ACK scan modes (nmap -sF -sX -sN -sW -sA)
- blocking IP protocol scans (nmap -sO)
- blocking UDP scans (nmap -sU)
- blocking identification via TCP/IP fingerprinting (nmap -O)
- anti-spoof protection, including protection for aliases
- anti-smurf protection
- TCP SYN Flood protection
- UDP / ICMP Flood protection
- IANA reserved addresses checking
- SYSCTL parameters set for increased strength
- logging stealth scans (FIN, Xmas Tree, Null), ACK scan modes (nmap -sF -sX -sN), IP protocol scans (nmap -sO), UDP scans (nmap -sU), nmap fingerprinting attempts.
- autodetect of connection type (static/dynamic, external/internal)
- auto update of firewall tool
- auto update IANA reserved list
- display firewall statistics in iptables native, csv or html format
- easy deployment on all distributions
Enhancements:
- fixed iptables version checking
Download (0.028MB)
Added: 2006-07-08 License: GPL (GNU General Public License) Price:
1204 downloads
DHCPsql 0.2-pre6
DHCPsql projects implements the RFC2132 and at least RFC3046 as a dynamic configurable SQL-based DHCP server. more>>
DHCPsql projects implements the RFC2132 and at least RFC3046 as a dynamic configurable SQL-based DHCP server, based on the udhcpd code, extended to mask-and-select by client DHCP packets.
Targets:
- Discover, start with a working pre prototype, always send first ip in subnet
- Leases, SQL implementation should be done for storing and recieving leases. To send next free ip in subnet.
- Static leases, fixed leasetime
- Request, basics send ACK/NAK
- Webfrontend, initial frontend for viewing the database
Enhancements:
- This version of DHCPsql supports OPTION_LIST with OPTION_IP.
- This allows administrators to add multiple IP addresses to their DHCP options.
- This feature was lacking in the previous releases where only one IP address was allowed, and this limited the use of the nameserver field.
<<lessTargets:
- Discover, start with a working pre prototype, always send first ip in subnet
- Leases, SQL implementation should be done for storing and recieving leases. To send next free ip in subnet.
- Static leases, fixed leasetime
- Request, basics send ACK/NAK
- Webfrontend, initial frontend for viewing the database
Enhancements:
- This version of DHCPsql supports OPTION_LIST with OPTION_IP.
- This allows administrators to add multiple IP addresses to their DHCP options.
- This feature was lacking in the previous releases where only one IP address was allowed, and this limited the use of the nameserver field.
Download (0.043MB)
Added: 2007-03-07 License: GPL (GNU General Public License) Price:
962 downloads
narc 0.7
NARC is a free firewalling package for Netfilter/Iptables. more>>
NARC is a free firewalling package for Netfilter/Iptables. It attempts to simplify the setup of a firewall (stateful packet filter) via the iptables tools. NARC is a bash shellscript that generates sensible and secure rules for Netfilter based on a simple configuration file.
Netfilter is the framework in Linux 2.4 kernels that allow for firewalling, NAT, and packet mangling. Iptables is the userspace tools that works with the Netfilter framework (technically a lie; Iptables is also a part of the Netfilter framework in the kernel). Think of Netfilter as the kernel space, and Iptables as the userspace.
Main features:
- Quick setup via a simple configuration file
- Connection tracking (and fragmentation reassembly)
- Customized logging
- Probe detection (TCP & UDP)
- Illegal TCP packet filtering
- FIN, NULL, ACK scan detection
- ICMP message filtering and rate limiting
- SYN packet length checking
- General rate limiting (to prevent DoS type attacks)
- IP/network based TCP connection rate limiting
- SYN flood protection
- Smurf attack protection
- Spoofed IP address filtering
- DMZ support
- Port forwarding support
<<lessNetfilter is the framework in Linux 2.4 kernels that allow for firewalling, NAT, and packet mangling. Iptables is the userspace tools that works with the Netfilter framework (technically a lie; Iptables is also a part of the Netfilter framework in the kernel). Think of Netfilter as the kernel space, and Iptables as the userspace.
Main features:
- Quick setup via a simple configuration file
- Connection tracking (and fragmentation reassembly)
- Customized logging
- Probe detection (TCP & UDP)
- Illegal TCP packet filtering
- FIN, NULL, ACK scan detection
- ICMP message filtering and rate limiting
- SYN packet length checking
- General rate limiting (to prevent DoS type attacks)
- IP/network based TCP connection rate limiting
- SYN flood protection
- Smurf attack protection
- Spoofed IP address filtering
- DMZ support
- Port forwarding support
Download (0.018MB)
Added: 2006-07-07 License: BSD License Price:
698 downloads
Secleted [ 0 ] software to compare
Copyright Notice:
Software piracy is theft, Using crack, password, serial numbers, registration codes, key generators is illegal and prevent future software development. The above ack search only lists software in full, demo and trial versions for free download. Download links are directly from our mirror sites or publisher sites, torrent files or links from rapidshare.com, yousendit.com or megaupload.com are not allowed
