From owner-freebsd-security Thu Sep 12 20:46: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EAB8437B400 for ; Thu, 12 Sep 2002 20:46:02 -0700 (PDT) Received: from smtp.comcast.net (smtp.comcast.net [24.153.64.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8136543E65 for ; Thu, 12 Sep 2002 20:46:02 -0700 (PDT) (envelope-from dfolkins@comcast.net) Disposition-notification-to: dfolkins@comcast.net Received: from groovy3xp (pcp01731796pcs.selrsv01.pa.comcast.net [68.83.131.193]) by mtaout01.icomcast.net (iPlanet Messaging Server 5.1 HotFix 1.4 (built Aug 5 2002)) with SMTP id <0H2C000CQYGP0O@mtaout01.icomcast.net> for freebsd-security@FreeBSD.ORG; Thu, 12 Sep 2002 23:46:02 -0400 (EDT) Date: Thu, 12 Sep 2002 23:45:52 -0400 From: dfolkins Subject: Re: ipfw, natd, and keep-state - strange behavior? To: freebsd-security@FreeBSD.ORG Message-id: <000a01c25ad8$0ee04610$0a00a8c0@groovy3xp> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 7BIT X-Priority: 3 X-MSMail-priority: Normal References: <20020912152423.M3276-100000@walter> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org now this is a very interesting discussion and all, but um, could someone take a look at what i posted originally and tell me why there is this rogue short-lived dynamic rule popping up and what i can do about it that does _not_ involve making non-stateful rules? pretty please? :) it would really appreciate it. -- dfolkins P.S. i have to say that i put my eggs in the stateful basket (as opposed to nonstateful). chuck's argument with respect for dyn-rule overflow dos is a valid one, but only if one allows stateful _incoming_ connections. overall stateful rules are more restrictive, and the argument of "what if you accidentally make an outgoing connection to an evil site" holds no water cuz its just as bad with nonstateful rules. anyway, back to our scheduled program - why does the strange short-lived dynamic rule show up? P.P.S. thank you mike for the aaron gifford link, those patches look pretty nice. but i already have a _workaround_ - i.e. remove "setup" from the outgoing stateful rule. i wanted to find out what was going on and why. P.P.P.S. [wow, three of them!] switching to ipnat as per pierres advice maybe is a good idea, but seems to involve lots of work. heh, maybe i will play with ipfw for a while longer. its what i "grew up" with, after all. i can't just abandon it in its hour of need, can i? :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message