Date: Wed, 28 Jun 95 07:36:46 CDT From: lists@tar.com (Richard Seaman, Jr) To: guido@gvr.win.tue.nl Cc: hackers@freebsd.org Subject: Re: ipfw code Message-ID: <199506281236.HAA00903@ns.tar.com>
next in thread | raw e-mail | index | archive | help
On Tue, 27 Jun 1995 19:13:54 +0200 (MET DST) you wrote:
>Currently, th ip_fw code has an option to block on packets with the
>SYN falg set. I think this is useless as it basically blocks all tcp
>traffic.
Agreed. Or more precisely, it blocks ALL SYN traffic, which prevents
a TCP connection from being set up. So yes, as a practical matter
blocking syn and blocking tcp have the same practical effect for this
implementation.
>What should be implemented is a way to block those packages
>with the ACK bit set. This is usefull for allowing conections only
>from one host to another and not the other way around.
>Can we agree on the SYN code replace by the ACK code?
I'm not sure I follow this. If the goal is to prevent inbound TCP
connection requests, I would think the filter should block TCP packets
with the SYN bit set and the ACK bit clear, but allow those in which
both the SYN bit and ACK bit are both set?
I would think the goal of blocking on syn is to prevent inbound
connections but allow outbound connections?
Dick
Richard Seaman, Jr. dick@tar.com
5182 North Maple Lane Dick@Seaman.Chenequa.WI.US
Chenequa, WI 53058 voice: 414-367-5450
fax: 414-367-5852
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199506281236.HAA00903>