Date: Thu, 16 Aug 2001 16:06:57 -0500 From: Mike Meyer <mwm@mired.org> To: Dennis Jun <dennisjun@yahoo.com> Cc: questions@freebsd.org Subject: Re: How do stateful firewalls help increase security? Message-ID: <15228.13809.539576.711871@guru.mired.org> In-Reply-To: <20453090@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Dennis Jun <dennisjun@yahoo.com> types:
> A friend of mine asked me this today and I coudln't
> give him a definite answer, even though I use stateful
> firewalls. I was wondering if any gurus could enlighten
> me. Thanx.
From the ipfw man page:
In order to protect a site from flood attacks involving fake TCP packets,
it is safer to use dynamic rules:
The altnernative to stateful rules is checking for RST or ACK bits -
which can be faked.
On the other hand, not much further down on the page:
BEWARE: stateful rules can be subject to denial-of-service attacks by a
SYN-flood which opens a huge number of dynamic rules.
<mike
--
Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15228.13809.539576.711871>