QUIVIR Research Group
Edit Page
Page Revisions
Contact Us



Upcoming Events

Projects and Research




Master Thesis



Faculty Members

Rafael M. Gasca, PhD

María Teresa Gómez, PhD

Pablo Neira Ayuso, PhD

Sergio Pozo Hidalgo, PhD

Rafael Ceballos, PhD

Fernando de la Rosa, PhD

Miguel Toro, PhD

Diana Borrego, PhD

Ángel Jesús Varela Vaca, PhD

Luisa Parody, PhD

José Miguel Pérez Álvarez


TDiaCO-BPMS (2010)

OPbus (2009)

Edit Menu


  • conntrack-tools by Pablo Neira Ayuso The Connection Tracking System is an in-kernel subsystem that stores information about the state of the connections that the firewall is currently forwarding. Such extra information inherently enables a more intelligent way to define filtering policies that is also known as Stateful firewalling. In other words, this subsystem let us detect malformed packets, invalid sequences for OSI layer 3 and 4 protocol, eg. TCP reset attacks and portscans, and other rarities that are invalid in terms of the protocol specification.

    On the other hand, existing opensource high availability solutions, like heartbeat [1] and keepalived [2], use replication techniques of single point of failures (SPOF) to avoid service disrupts. Basically, such
    techniques consists on having a cluster of several hosts where one or more are active and the rest are in backup mode, eg. waiting for the failure of active hosts. Unfortunately, this solutions does not cover all the required aspects of Stateful Firewalls to ensure that the backup hosts can complete successfully the takeover of the connections that are being forwarded, in other words, the backup hosts does not have knowledge of the state of the forwarded connections, therefore they
    cannot apply the appropiate filtering policy based on states anymore resulting in unexpected behaviours like connections halt and shutdown.

    Conntrackd: Netfilter's Connection Tracking System Userspace Daemon

    Conntrackd is the userspace daemon for the Connection Tracking System. This daemon maintains a copy of the Connection Tracking System in userspace. It is entirely written in C and is highly configurable and easily extensible. Currently it covers the specific aspects of Stateful Linux firewalls to enable high availability solutions and can be used as statistics collector of the firewall use.

    The software is available at: http://conntrack-tools.netfilter.org

Edit Page - Page Revisions - RecentChanges

Send comments and suggestions to: gasca@lsi.us.es
Page last modified on October 29, 2010, at 08:37 PM