Date: Sun, 30 Jul 2000 20:51:27 +0000 From: Stephen Montgomery-Smith <stephen@math.missouri.edu> To: "Jonathan M. Bresler" <jmb@hub.freebsd.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules Message-ID: <3984954F.949BFF58@math.missouri.edu> References: <20000730232345.650D337B516@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
"Jonathan M. Bresler" wrote: > > [snip] > > > > All this bad behavior could be stopped by having a rule > > > > add pass tcp from any to any established > > > > before all the other rules, but in that case why have dynamic rules > > at all? > > UDP ? > set your timeouts to match the behavior of your apps. > Ah yes, I had not thought of that. For udp the add pass .... keep-state setup wouldn't work as a means to log establishment only of connections. For udp connections, is it common to want to log establishment only of connections? (In fact if this option were allowed for dynamic rules, this would be the only way using ipfw to do this.) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3984954F.949BFF58>