Date: Thu, 22 Jan 2004 07:27:33 +1300 From: Jonathan Chen <jonc@chen.org.nz> To: fbsd_user <fbsd_user@a1poweruser.com> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw/nated stateful rules example Message-ID: <20040121182733.GB36015@grimoire.chen.org.nz> In-Reply-To: <MIEPLLIBMLEEABPDBIEGOEHGFFAA.fbsd_user@a1poweruser.com> References: <20040121052001.GA33062@grimoire.chen.org.nz> <MIEPLLIBMLEEABPDBIEGOEHGFFAA.fbsd_user@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jan 21, 2004 at 08:29:32AM -0500, fbsd_user wrote:
[...]
> As far as the question of using keep-state rules on both the private
> and public interfaces this is cross population of the single
> stateful table and returning packets are being matched to entries in
> the stateful table which do not belong to the interface the original
> enter was posted from. This is an logic error and invalidates the
> function of the purpose of the whole stateful concept.
A logic error is only there is something doesn't work. The proposed
solution works, so there is no logic error. I can't see how the stateful
concept has been invalidated - the mechanism works as intended. What
you've presented is a matter of opinion rather than any concrete example
as to why the proposed solution is insecure.
--
Jonathan Chen <jonc@chen.org.nz>
----------------------------------------------------------------------
The human mind ordinarily operates at only ten percent of its capacity
-- the rest is overhead for the operating system.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040121182733.GB36015>