Date: Thu, 12 Sep 2002 23:45:52 -0400 From: dfolkins <dfolkins@comcast.net> To: freebsd-security@FreeBSD.ORG Subject: Re: ipfw, natd, and keep-state - strange behavior? Message-ID: <000a01c25ad8$0ee04610$0a00a8c0@groovy3xp> References: <20020912152423.M3276-100000@walter>
next in thread | previous in thread | raw e-mail | index | archive | help
now this is a very interesting discussion and all, but um, could someone take a look at what i posted originally and tell me why there is this rogue short-lived dynamic rule popping up and what i can do about it that does _not_ involve making non-stateful rules? pretty please? :) it would really appreciate it. -- dfolkins P.S. i have to say that i put my eggs in the stateful basket (as opposed to nonstateful). chuck's argument with respect for dyn-rule overflow dos is a valid one, but only if one allows stateful _incoming_ connections. overall stateful rules are more restrictive, and the argument of "what if you accidentally make an outgoing connection to an evil site" holds no water cuz its just as bad with nonstateful rules. anyway, back to our scheduled program - why does the strange short-lived dynamic rule show up? P.P.S. thank you mike for the aaron gifford link, those patches look pretty nice. but i already have a _workaround_ - i.e. remove "setup" from the outgoing stateful rule. i wanted to find out what was going on and why. P.P.P.S. [wow, three of them!] switching to ipnat as per pierres advice maybe is a good idea, but seems to involve lots of work. heh, maybe i will play with ipfw for a while longer. its what i "grew up" with, after all. i can't just abandon it in its hour of need, can i? :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000a01c25ad8$0ee04610$0a00a8c0>