From owner-freebsd-questions Thu Aug 16 14: 7: 3 2001 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-27-141-144.mmcable.com [24.27.141.144]) by hub.freebsd.org (Postfix) with SMTP id 07B6937B40B for ; Thu, 16 Aug 2001 14:06:59 -0700 (PDT) (envelope-from mwm@mired.org) Received: (qmail 48110 invoked by uid 100); 16 Aug 2001 21:06:57 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15228.13809.539576.711871@guru.mired.org> Date: Thu, 16 Aug 2001 16:06:57 -0500 To: Dennis Jun Cc: questions@freebsd.org Subject: Re: How do stateful firewalls help increase security? In-Reply-To: <20453090@toto.iv> X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Dennis Jun types: > A friend of mine asked me this today and I coudln't > give him a definite answer, even though I use stateful > firewalls. I was wondering if any gurus could enlighten > me. Thanx. From the ipfw man page: In order to protect a site from flood attacks involving fake TCP packets, it is safer to use dynamic rules: The altnernative to stateful rules is checking for RST or ACK bits - which can be faked. On the other hand, not much further down on the page: BEWARE: stateful rules can be subject to denial-of-service attacks by a SYN-flood which opens a huge number of dynamic rules. http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message