From owner-freebsd-questions@FreeBSD.ORG Tue Jan 20 21:20:03 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5DD8816A4CF for ; Tue, 20 Jan 2004 21:20:03 -0800 (PST) Received: from chen.org.nz (chen.org.nz [210.54.19.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6345C43D2D for ; Tue, 20 Jan 2004 21:20:02 -0800 (PST) (envelope-from jonc@chen.org.nz) Received: by chen.org.nz (Postfix, from userid 1000) id 1B77513635; Wed, 21 Jan 2004 18:20:01 +1300 (NZDT) Date: Wed, 21 Jan 2004 18:20:01 +1300 From: Jonathan Chen To: fbsd_user Message-ID: <20040121052001.GA33062@grimoire.chen.org.nz> References: <02d501c3dfc1$796e4da0$0201a8c0@dredster> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i cc: Micheal Patterson cc: freebsd-questions@freebsd.org Subject: Re: ipfw/nated stateful rules example X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2004 05:20:03 -0000 On Tue, Jan 20, 2004 at 09:18:27PM -0500, fbsd_user wrote: > Yes you are making it work, but not work > correctly. In the true security sense, this is un-secure and > invalidates the whole purpose of using keep-state rules at all. This > would never be allowed by an real firewall security professional. I'm curious as to why you'd consider it insecure. How would applying the keep-state rules on the public IP be anymore secure that using it on the internal IP? The mechanism works the same regardless. You haven't provided an case as to why you think it is unsecure. -- Jonathan Chen ---------------------------------------------------------------------- Don't worry about avoiding temptation, as you grow older, it starts avoiding you.