[grsec] grsec's tcp source port randomization
Brad Spengler
spender at grsecurity.net
Wed Apr 25 18:03:46 EDT 2007
On Sat, Apr 21, 2007 at 08:35:12PM -0500, Brant Williams wrote:
>
> Hello,
>
> I just happened to notice that there no longer seems to be a grsec kernel
> option to randomize TCP source ports. Just wondering when/why this was
> removed. Also... is there a grsec changelog somewhere? I don't seen one
> in the kernel source tree, or online.
The 2.6 kernel (since 2.6.11) by default supports pseudo-random TCP
source ports. The algorithm used in 2.4 caused the problem described at:
http://forums.grsecurity.net/viewtopic.php?p=6076
which couldn't be resolved without greatly increasing the complexity of
the option. The forums contain more in depth information on these
topics.
I've updated the CVS page to reflect the status of the CVS repositories.
Simply, it doesn't make much sense to keep an updated repository when
the 2.6 kernel changes so drastically so often. Any changes made to the
non-PaX portion of grsecurity are listed at release time. Changes in
PaX can be seen by interdiffing the various test patches available. I'd
discourage the use of applying any sort of interdiff as a backport,
especially for the 2.6 series of kernels since PaX has undergone large
changes through each version to adapt to the newer kernels. Exceptions
of course are for when either the PaX team or myself offer small patches
that can be backported.
CVS is still maintained for gradm.
-Brad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20070425/37a4a59c/attachment.pgp
More information about the grsecurity
mailing list