Date: Fri, 08 Jun 2001 21:53:17 -0500 From: Ryan <ryanpek@swbell.net> To: freebsd-security@FreeBSD.ORG Subject: IPFILTER and flags S/SA Message-ID: <000601c0f08f$566f53e0$01000001@mhx800> References: <9C643FE251025246BF8CE3ADFA3765954873@hydrogen.tmolp.com> <3B215D6A.9E968BAE@globalstar.com>
next in thread | previous in thread | raw e-mail | index | archive | help
from the IPF howto - Some examples use flags S/SA instead of flags S. flags S actually equates to flags S/AUPRFS and matches against only the SYN packet out of all six possible flags, while flags S/SA will allow pack- ets that may or may not have the URG, PSH, FIN, or RST flags set. Some protocols demand the URG or PSH flags, and S/SAFR would be a better choice for these, however we feel that it is less secure to blindly use S/SA when it isn't required. But it's your firewall. - I was wondering if any1 could maybe explain more in detail why S/SA is unsafe? example: pass in quick on xl0 proto tcp from any to 64.219.216.65/32 port = 80 flags S keep state pass in quick on xl0 proto tcp from any to 64.219.216.65/32 port = 80 flags S/SA keep state ryanpek@swbell.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000601c0f08f$566f53e0$01000001>