From owner-freebsd-security Sun Jul 30 18:51:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id 2E7C637B93A for ; Sun, 30 Jul 2000 18:51:45 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000731015144.LCYC21928.mail.rdc1.il.home.com@math.missouri.edu>; Sun, 30 Jul 2000 18:51:44 -0700 Message-ID: <3984954F.949BFF58@math.missouri.edu> Date: Sun, 30 Jul 2000 20:51:27 +0000 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.74 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: "Jonathan M. Bresler" Cc: freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules References: <20000730232345.650D337B516@hub.freebsd.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jonathan M. Bresler" wrote: > > [snip] > > > > All this bad behavior could be stopped by having a rule > > > > add pass tcp from any to any established > > > > before all the other rules, but in that case why have dynamic rules > > at all? > > UDP ? > set your timeouts to match the behavior of your apps. > Ah yes, I had not thought of that. For udp the add pass .... keep-state setup wouldn't work as a means to log establishment only of connections. For udp connections, is it common to want to log establishment only of connections? (In fact if this option were allowed for dynamic rules, this would be the only way using ipfw to do this.) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message