Date: Thu, 20 Jun 2002 17:11:11 -0600 From: "Dalin S. Owen" <dowen@nexusxi.com> To: freebsd-security@freebsd.org Subject: IPFW/IPF Setup/Established Message-ID: <20020620171111.A24480@nexusxi.com>
next in thread | raw e-mail | index | archive | help
--W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable First an example: :) ipfw add 9 allow tcp from any to any established ipfw add 10 allow tcp from any to 10.0.0.2 80 setup (DEFAULT DENY RULE) vs. block in all block out all pass in quick on fxp0 proto tcp from any to 10.0.0.2 port =3D 80 flags S ke= ep state These two rule snippets do essentialy the same thing, I know one of them is= stateful, and the other is not. =20 It is kind of like comparing apples to oranges... but they behave the same = in the end. They both check for a=20 SYN, and keep a (virtual) state. I have heard from the IPF community that a "allow tcp from any to any estab= lished" can be spoofed. Don't=20 they need the right sequence number to do that? I mean, to send packets to= my machine "claiming" to already=20 be established to a private port? If so, then why is the /etc/rc.firewall = script written this way? There=20 must be a reason. Also, Which one is faster at matching packets on average? Help me end the ipfw + ipf madness!!?!? :) Insanely yours, Dalin S. Owen --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj0SYQ4ACgkQKZhyFXMVXuIkCQCfRKIEXBEGFZucalbIyuCguDrG lPQAoLlyUFOXFYUEHFh7rOg3Zg8/8rr0 =h7D9 -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020620171111.A24480>