From owner-freebsd-security Fri Jan 21 0:49: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from public.bta.net.cn (public.bta.net.cn [202.96.0.97]) by hub.freebsd.org (Postfix) with ESMTP id 6CFD9153EF for ; Fri, 21 Jan 2000 00:49:01 -0800 (PST) (envelope-from robinson@netrinsics.com) Received: from netrinsics.com (gj-06-112.bta.net.cn [202.106.6.112]) by public.bta.net.cn (8.9.3/8.9.3) with ESMTP id QAA28105 for ; Fri, 21 Jan 2000 16:48:45 +0800 (CST) Received: (from robinson@localhost) by netrinsics.com (8.9.3/8.9.3) id QAA01513; Fri, 21 Jan 2000 16:49:28 +0800 (+0800) (envelope-from robinson) Date: Fri, 21 Jan 2000 16:49:28 +0800 (+0800) From: Michael Robinson Message-Id: <200001210849.QAA01513@netrinsics.com> To: freebsd-security@freebsd.org Subject: stream.c workaround clarification Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've been using an ipfilter rule-list that includes the following two rules: pass in log quick proto tcp from any to any flags S/SA pass in quick proto tcp from any to any keep state (I log connections to TCP ports that aren't "exempted" higher up in the rules.) From the discussion it seems to me that this should have an equivalent protective effect as the official-sanctioned workaround, but I'd like to verify this to be true. Thanks. -Michael Robinson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message