Date: Sat, 12 Sep 2009 22:52:29 +0800 From: Cypher Wu <cypher.w@gmail.com> To: Luigi Rizzo <rizzo@iet.unipi.it> Cc: freebsd-ipfw@freebsd.org Subject: Re: Transparent firewall & Dynamic rules Message-ID: <f9f38a550909120752p42e07c18n51bf1dccc15a224@mail.gmail.com> In-Reply-To: <20090912141021.GA46670@onelab2.iet.unipi.it> References: <f9f38a550909120032k2572fd3y30a1a5e5d0b457cd@mail.gmail.com> <20090912130913.GA46135@onelab2.iet.unipi.it> <f9f38a550909120651t49362b93m83f08e862adc63cb@mail.gmail.com> <20090912141021.GA46670@onelab2.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks a lot. It seems that I've misunderstood 'transparent firewall'. On Sat, Sep 12, 2009 at 10:10 PM, Luigi Rizzo <rizzo@iet.unipi.it> wrote: > On Sat, Sep 12, 2009 at 09:51:04PM +0800, Cypher Wu wrote: >> It's seems fine, but I still have some questions: >> 1. The endpoint will response to the keepalive TCP segment and the >> destination will be the other endpoint, will IPFW just let it though >> like the usual IP packet, or try to figure it out and drop it? > > it will let the packet through. > >> 2. If I have two computer I can make sure both end are not using >> keepalive, then I can still figure out there is a firewall between >> these two computers? > > you can disable the keepalives on the firewall (if there is no > sysctl for it, it's a trivial code change anyways), and you > can set a large timeout. > > but by definition the presence of a firewall _is_ detectable, > unless it blocks nothing so it is just a logger and not a firewall. > > 'transparent' referred to a middlebox means > "it does not require endpoint reconfiguration", not that > it is undetectable. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f9f38a550909120752p42e07c18n51bf1dccc15a224>