Date: Thu, 20 Jun 2002 17:11:11 -0600 From: "Dalin S. Owen" <dowen@nexusxi.com> To: freebsd-security@freebsd.org Subject: IPFW/IPF Setup/Established Message-ID: <20020620171111.A24480@nexusxi.com>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] First an example: :) ipfw add 9 allow tcp from any to any established ipfw add 10 allow tcp from any to 10.0.0.2 80 setup (DEFAULT DENY RULE) vs. block in all block out all pass in quick on fxp0 proto tcp from any to 10.0.0.2 port = 80 flags S keep state These two rule snippets do essentialy the same thing, I know one of them is stateful, and the other is not. It is kind of like comparing apples to oranges... but they behave the same in the end. They both check for a SYN, and keep a (virtual) state. I have heard from the IPF community that a "allow tcp from any to any established" can be spoofed. Don't they need the right sequence number to do that? I mean, to send packets to my machine "claiming" to already be established to a private port? If so, then why is the /etc/rc.firewall script written this way? There must be a reason. Also, Which one is faster at matching packets on average? Help me end the ipfw + ipf madness!!?!? :) Insanely yours, Dalin S. Owen [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj0SYQ4ACgkQKZhyFXMVXuIkCQCfRKIEXBEGFZucalbIyuCguDrG lPQAoLlyUFOXFYUEHFh7rOg3Zg8/8rr0 =h7D9 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020620171111.A24480>