From owner-freebsd-security@FreeBSD.ORG  Sat Nov 11 19:34:30 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2314616A415
	for <freebsd-security@freebsd.org>;
	Sat, 11 Nov 2006 19:34:30 +0000 (UTC)
	(envelope-from arne_woerner@yahoo.com)
Received: from web30310.mail.mud.yahoo.com (web30310.mail.mud.yahoo.com
	[209.191.69.72]) by mx1.FreeBSD.org (Postfix) with SMTP id A379043DA2
	for <freebsd-security@freebsd.org>;
	Sat, 11 Nov 2006 19:33:56 +0000 (GMT)
	(envelope-from arne_woerner@yahoo.com)
Received: (qmail 36401 invoked by uid 60001); 11 Nov 2006 19:33:56 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
	h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
	b=MBWYvU7hjyN7rj3yPbQLFBo4dT+clt2Laupqknzq0/YKllFobY/Ovt5NAO7i5zXnGze+b0yjrqV/UAnC1zCf+a/vsRFqJY550gcS3dL82GUHl3IY+NMKLxQBacYZK09/TifuVrjpV6q392dSMbf54i5SQQ5m3tW6zWFagLWw3MA=;
X-YMail-OSG: Xzldeu0VM1kTmVZoZd1jxTdpMz0oJfddtRyUXkynWPSemBlzDll9PA9z19mQ2JaK.1DvXV_WsgdjmB4_InFsJ1ccayWobPzbJ.rrPC_EG0Gk1PefdJGt4RzIl4hmWpE0jDSeRD5h.0rD1Hs-
Received: from [213.54.145.48] by web30310.mail.mud.yahoo.com via HTTP;
	Sat, 11 Nov 2006 11:33:56 PST
Date: Sat, 11 Nov 2006 11:33:56 -0800 (PST)
From: "R. B. Riddick" <arne_woerner@yahoo.com>
To: Dan Lukes <dan@obluda.cz>, freebsd-security@freebsd.org
In-Reply-To: <45562245.8070804@obluda.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-ID: <159176.35953.qm@web30310.mail.mud.yahoo.com>
Cc: 
Subject: Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to any
	established
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Nov 2006 19:34:30 -0000

--- Dan Lukes <dan@obluda.cz> wrote:
> 	Statefull rules can stop the sophisticated intruder, but are often more 
> vulnerable to DoS attacks.
> 
> 	Every method has pros and cons ...
> 
Hmm... U mean, when someone creates a lot of states? At least pf can limit
that... But here it looks like just the good guys can create a state (from the
good-network via the public network to the trusted web sites), so that states
can't hurt, I think...

-Arne


 
____________________________________________________________________________________
Cheap talk?
Check out Yahoo! Messenger's low PC-to-Phone call rates.
http://voice.yahoo.com