Date: Sat, 24 Nov 2001 15:30:28 +0100 From: devet@devet.org (Arjan de Vet) To: kzaraska@student.uci.agh.edu.pl Cc: security@freebsd.org Subject: Re: Best security topology for FreeBSD Message-ID: <20011124153028.A2567@adv.devet.org> In-Reply-To: <Pine.BSF.4.21.0111211913360.441-100000@lhotse.zaraska.dhs.org> References: <20011121183151.B15275@heresy.dreamflow.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
In article <Pine.BSF.4.21.0111211913360.441-100000@lhotse.zaraska.dhs.org> you write: >On Wed, 21 Nov 2001, Bart Matthaei wrote: >> I still dont see why ipf would be better when it comes to filtering. >This issue (at least in one aspect) has been discussed on this list around >Oct 30 (thread about keep-state and ICMP). The discussion strayed from the >original topic and someone pointed out that ipfilter does a more careful >inspection when dealing with dynamic rules (checks TCP sequence numbers >etc.). See the paper written by Guido van Rooij: http://www.madison-gurkha.com/publications/tcp_filtering/tcp_filtering.ps It explains how IP-filter deals with seq/ack numbers and window sizes. Note that IP-filter does not have the notion of real 'dynamic' rules but a state table instead. Arriving packets are first matched to the state table (a quick lookup in a hash table) and in case they match (read the paper to find the exact details) passed on without looking in the filter rules. The filter rules are, more or less, only used for determining whether a new connection will be allowed (and thus entered into the state table). Arjan -- Arjan de Vet, Eindhoven, The Netherlands <devet@devet.org> URL : http://www.iae.nl/users/devet/ <Arjan.deVet@adv.iae.nl> Work: http://www.madison-gurkha.com/ (Security, Open Source, Education) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011124153028.A2567>