Date: 19 Jul 2001 23:00:06 +0200 From: Dag-Erling Smorgrav <des@ofug.org> To: Ralph Huntington <rjh@mohawk.net> Cc: "Sergey N. Voronkov" <serg@tmn.ru>, Nick Maschenko <mnvhome@mail.ru>, security@FreeBSD.ORG Subject: Re: Fw: Re: A question about FreeBSD security Message-ID: <xzpsnfsmy7d.fsf@flood.ping.uio.no> In-Reply-To: <Pine.BSF.4.21.0107191119130.346-100000@mohegan.mohawk.net> References: <Pine.BSF.4.21.0107191119130.346-100000@mohegan.mohawk.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Ralph Huntington <rjh@mohawk.net> writes: > My understanding (someone please correct me if I am wrong) is that IPFW > relies on the incoming packets' own headers to infer the established > state, whereas IPF keeps a table of outgoing packets (when told to keep > state) and matches incoming packets to the entries in the table to > determine if they are actually in response to an outgoing packet. Both. It all depends on how you set up your rule set - you can do # ipfw add pass tcp from any to me 22 in setup # ipfw add pass tcp from me 22 to any out tcpflags syn,ack keep-state instead of # ipfw add pass tcp from any to me 22 in setup keep-state The first variant will only store state for incoming connections to which you actually respond, while the second will store state for all incoming connections. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpsnfsmy7d.fsf>