TCP SYN Proxy

[Nicholas Jenkins]

Good Day,

I am interested in writing a TCP SYN proxy that fits into the netfilter
schema.  I have made use of freeware long enough, and have made absolutely
no contributions (other than some minor bug fixes) in 7 or 8 years.  So,
it's my turn.

I am a competent programmer (as I have made a living at this from time to
time), and I should be more than capable.

However, other than using the 2.4 kernel (and iptables) to configure some
firewalling for home use (which is SO----- much nicer than ipchains!!!), I
have no experience with netfilter at any level.

Here is what I am thinking...
Making a connection-tracking module (or pair of, as I understand it), that
sees inbound TCP connection requests, then responds on behalf of the
destination host, then if and when an ACK-ACK comes back, replay the SYN,
SYN/ACK, ACK/ACK connection request to the actual server.  Otherwise, just
drop the initial SYN, SYN/ACK pair from memory, on the firewall.  Assuming
this is in-line before much of anything else has handled the packet, this
should work for both the local machine (firewall), as well as any hosts it
is filtering for.

Although I did come up with these plans on my own (after seeing an article
about a recent Usenix presentation on this topic), I must confess others had
this implementation idea before me (which is good, as it ratifies the
SYN-proxy idea).  ...And, I see no reason why people should have to pay
$10k-$15k per "server" to do this, when I should be able to program this in
a couple of weeks at night (or so I think...)

Please bombard me with suggestions, and save me the aggravation of wading
through unnecessary code, and making lots of bad "placement" decisions at
the time.  One last note, if someone else is already working on this, and I
am just being stupid, please be gentle.

-NICK