From 31bad73504a26fa075b83fce7b2e1bcdc660e8de Mon Sep 17 00:00:00 2001 From: Niels Werensteijn Date: Thu, 20 Oct 2016 09:18:48 +0200 Subject: [PATCH] updated readme a bit --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f0c94fe..e007309 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ This set of plugins is designed to let the Linux kernel (or rather netfilter) ha ## Protocol background and module description When a TeamSpeak 3 client attempts to connect to a TeamSpeak 3 server, it sends out a "get cookie" packet. The server then replies with a "set cookie" packet. This packet has some secret information about the connection details. The client then response with a "get puzzle" packet. This packet includes the cookie that it got previously. The server now validates this cookie and if its correct it continues with the rest of the connection packets. -This software packages comes with two netfilter match extensions, and two netfilter target extensions which we will discus next. These extensions combined with some other netfilter modules, can take over the initial connection phase for a TeamSpeak 3 server. This makes it possible to prevent any packet that has not been verified to come from the ip address it claims as it's source, to reach the TeamSpeak 3 server. +This software packages comes with two netfilter match extensions, and three netfilter target extensions which we will discus next. These extensions combined with some other netfilter modules, can take over the initial connection phase for a TeamSpeak 3 server. This makes it possible to prevent any packet that has not been verified to come from the ip address it claims as it's source, to reach the TeamSpeak 3 server. ## Match extensions The first match extensions is called *ts3init_get_cookie*. It matches if the packet in question is a valid TeamSpeak 3 "get cookie" packet from the client. There are additional parameters that can be set: @@ -28,11 +28,11 @@ $ iptables -m ts3init_get_puzzle -h ts3init_get_puzzle match options: --min-client n The sending client needs to be at least version. --check-cookie Check that the cookie was generated by same seed. - --seed Seed is a 60 byte lowercase hex number in. + --random-seed Seed is a 60 byte hex number. A source could be /dev/random. - --seed-file Read the seed from a file. + --random-seed-file Read the seed from a file. ``` -The min-client parameter is the same as above. The check-cookie parameter matches if it matches the cookie that was generated in the netfilter target extension ts3init_set_cookie. To match the seed needs to be exactly the same of course. It is possible to check cookies that were generated on a different machine, provided that those machines have the same date and time, and the seem seed specified. In other words: The cookie is created in a deterministic way, depending only on the current time and the seed. +The min-client parameter is the same as above. The check-cookie parameter matches if it matches the cookie that was generated in the netfilter target extension ts3init_set_cookie. To match the seed needs to be exactly the same of course. It is possible to check cookies that were generated on a different machine, provided that those machines have the same date and time, and the same seed specified. In other words: The cookie is created in a deterministic way, depending only on the current time and the seed. If check-cookie is specified, either random-seed or random-seed-file need to be specified too. ## Target extensions The second target extension is called "TS3INIT_RESET". It takes no parameters. This target drops the packet and sends a "reset" packet back to the sender. The sender should always be the TeamSpeak 3 client. Starting with the TeamSpeak 3.1 client, the client will react to the reset packet by resending the "get cookie" to the server. Older clients do not handle this packet.