From owner-freebsd-security  Sun Jul 30 16:23:47 2000
Delivered-To: freebsd-security@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 608)
	id 650D337B516; Sun, 30 Jul 2000 16:23:45 -0700 (PDT)
From: "Jonathan M. Bresler" <jmb@hub.freebsd.org>
To: stephen@math.missouri.edu
Cc: freebsd-security@FreeBSD.ORG
In-reply-to: <3984AB32.53B8D793@math.missouri.edu> (stephen@math.missouri.edu)
Subject: Re: log with dynamic firewall rules
Message-Id: <20000730232345.650D337B516@hub.freebsd.org>
Date: Sun, 30 Jul 2000 16:23:45 -0700 (PDT)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


[snip]
> 
> All this bad behavior could be stopped by having a rule
> 
> add pass tcp from any to any established
> 
> before all the other rules, but in that case why have dynamic rules
> at all?

	UDP ?
	set your timeouts to match the behavior of your apps.

> 
> And you could also tinker with the default time outs.
> 
> But in the end I find that static rules are quite satisfactory
> for me.

jmb


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message