Date: Mon, 6 May 2002 17:28:57 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: Jens Rehsack <rehsack@liwing.de> Cc: Michael Riexinger <mailinglists@grindking.de>, freebsd-stable@freebsd.org Subject: Re: ipfilter problem Message-ID: <20020506172856.A97107@mail.webmonster.de> In-Reply-To: <3CD67F4E.E7A27EEE@liwing.de>; from rehsack@liwing.de on Mon, May 06, 2002 at 03:04:14PM %2B0200 References: <20020504223450.GA1025@grind.grind.dom> <20020505152314.B73550@mail.webmonster.de> <20020505133204.GA667@grind.grind.dom> <20020505184630.A76286@mail.webmonster.de> <3CD5B662.26298116@liwing.de> <20020506020820.A82377@mail.webmonster.de> <3CD64534.672CD6A7@liwing.de> <20020506114555.C91849@mail.webmonster.de> <3CD67F4E.E7A27EEE@liwing.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--9amGYk9869ThD9tj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Jens Rehsack(rehsack@liwing.de)@2002.05.06 15:04:14 +0000: > "Karsten W. Rohrbach" wrote: > > pass in quick on isp0 proto tcp from any to any port =3D 80 flags S/SA = keep state > > # we want state added when establishing a > > # session, not for every tcp packet that passes > > # this rule > If you read your own statement above you can cut the flags, because all d= ynamic > rules added "quick" before this rule/line, so this rule is never parsed f= or > any already matched ... valid point, my reasoning was wrong (worse: it hurts so bad, that i wonder why nobody else intervened ;-) the reasoning about "why flags S/SA" boils down to the point that no out-of-session packet should be allowed to create a state. session establishment is restricted to SYN/SYN+ACK packets, nothing more. IIRC, the state will just hang there until it times out, but it will be there and use a slot in the state table; ipfilter will not pass a matching packet because of the incomplete session state which is tracked in the=20 state table, anyway. regards, /k --=20 > Experience is a teacher that gives the examination first and the > lesson afterwards.=20 WebMonster Community Project -- Next Generation Networks GmbH -- All on BSD http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --9amGYk9869ThD9tj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: For info see http://www.gnupg.org iD8DBQE81qE4s5Nr9N7JSKYRAp3XAKCP+z+NLaeEg0lB/riefRF/OnmFiwCfSrIm vztE3NQHuATlOXOxUWGP3dw= =wDzh -----END PGP SIGNATURE----- --9amGYk9869ThD9tj-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020506172856.A97107>