Date: Tue, 22 Jan 2002 22:56:05 -0500 From: Ray Kohler <rkohler1@cox.rr.com> To: m p <sumirati@yahoo.de>, Scott Nolde <scott@smnolde.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Some questions about ipfw Message-ID: <053275052031712FE8@mail8.mgfairfax.rr.com> In-Reply-To: <20020123025215.95139.qmail@web13303.mail.yahoo.com> References: <20020123025215.95139.qmail@web13303.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 22 January 2002 09:52 pm, m p wrote: > Scott Nolde wrote: > > This is a normal response after instituting the rules you've > > set forth. > > I can not see why the packets should be denied. IF there were > other packets send back to him he should see them too denied in > the logs. But he is not seeing them. > > "setup" and "established" can be bypassed with hand crafted > packets which have the SYN and ACK bit set. That is the behaviour > for any stateless firewall. With "keep-state" only packets are > allowed that matches a rule created by his machine at connection > start time. > > It is considered "more secure" to use "keep-state" _correctly_. > > For testing can you, Ray, please test some rules with "setup" and > "established" _only_ to see if it helps to use "setup" and > established ? > > Your ruleset looks okay for me. Doing the TCP with "established" and "setup" rules seems to improve behavior, but then I'm beginning to think that there was network trouble upstream at that point anyway and that's why things were showing up so late. I'm considering just going back to IPF at this point; I had it working before and it just seems a little "smarter" than IPFW. -- Ray Kohler Schnuffel, n.: A dog's practice of continuously nuzzling in your crotch in mixed company. -- Rich Hall, "Sniglets" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?053275052031712FE8>