From owner-freebsd-questions@FreeBSD.ORG  Wed Jan 21 10:27:36 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 34C1C16A4CE
	for <freebsd-questions@freebsd.org>;
	Wed, 21 Jan 2004 10:27:36 -0800 (PST)
Received: from chen.org.nz (chen.org.nz [210.54.19.51])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2B7AC43D3F
	for <freebsd-questions@freebsd.org>;
	Wed, 21 Jan 2004 10:27:35 -0800 (PST)
	(envelope-from jonc@chen.org.nz)
Received: by chen.org.nz (Postfix, from userid 1000)
	id 9C1B513651; Thu, 22 Jan 2004 07:27:33 +1300 (NZDT)
Date: Thu, 22 Jan 2004 07:27:33 +1300
From: Jonathan Chen <jonc@chen.org.nz>
To: fbsd_user <fbsd_user@a1poweruser.com>
Message-ID: <20040121182733.GB36015@grimoire.chen.org.nz>
References: <20040121052001.GA33062@grimoire.chen.org.nz>
	<MIEPLLIBMLEEABPDBIEGOEHGFFAA.fbsd_user@a1poweruser.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <MIEPLLIBMLEEABPDBIEGOEHGFFAA.fbsd_user@a1poweruser.com>
User-Agent: Mutt/1.4.1i
cc: Micheal Patterson <micheal@tsgincorporated.com>
cc: freebsd-questions@freebsd.org
Subject: Re: ipfw/nated stateful rules example
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jan 2004 18:27:36 -0000

On Wed, Jan 21, 2004 at 08:29:32AM -0500, fbsd_user wrote:

[...]
> As far as the question of using keep-state rules on both the private
> and public interfaces this is cross population of the single
> stateful table and returning packets are being matched to entries in
> the stateful table which do not belong to the interface the original
> enter was posted from. This is an logic error and invalidates the
> function of the purpose of the whole stateful concept.

A logic error is only there is something doesn't work. The proposed
solution works, so there is no logic error. I can't see how the stateful
concept has been invalidated - the mechanism works as intended.  What
you've presented is a matter of opinion rather than any concrete example
as to why the proposed solution is insecure.
-- 
Jonathan Chen <jonc@chen.org.nz>
----------------------------------------------------------------------
The human mind ordinarily operates at only ten percent of its capacity
                     -- the rest is overhead for the operating system.