Date: Fri, 28 Mar 2003 06:04:45 +1100 From: Peter Jeremy <peterjeremy@optushome.com.au> To: Etienne Ledoux <etienne@unix.za.org> Cc: freebsd-security@freebsd.org Subject: Re: Multiple Firewalls with ipfilter? Message-ID: <20030327190445.GC11307@cirb503493.alcatel.com.au> In-Reply-To: <1048774105.27599.15.camel@madcow> References: <3E82142E.000017.64676@ns.interchange.ca> <1048774105.27599.15.camel@madcow>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 27, 2003 at 04:08:23PM +0200, Etienne Ledoux wrote: >Both master and slave firewalls are exactly the same except for my >second firewall had to extra rules right at the top: > ># Allow all established connections >pass in quick proto tcp all flags A/SA keep state keep frags >pass out quick proto tcp all flags A/SA keep state keep frags >#pass in quick proto udp all keep state keep frags >#pass out quick proto udp all keep state keep frags This means you've lost all the benefits of stateful packet filtering (and the above is a fairly big security hole since you're allowing any connection spoofing attempts to succeed). This also doesn't address NAT state tables - which is critical for me. Peter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030327190445.GC11307>