Date: Tue, 30 Oct 2001 10:29:43 -0500 (EST) From: Ralph Huntington <rjh@mohawk.net> To: Michael Scheidell <scheidell@fdma.com> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: can I use keep-state for icmp rules? Message-ID: <20011030102625.U73979-100000@mohegan.mohawk.net> In-Reply-To: <005501c1613f$dfb46520$0603a8c0@MIKELT>
next in thread | previous in thread | raw e-mail | index | archive | help
> > ipfw(8) doesn't know anything about TCP handshakes. You may be under > > the impression that ipfw(8) actually tracks the state of TCP > > connections. It doesn't really. The flags in TCP packets can affect > > the lifetime of the rule, but it doesn't really track the state. > > You mean if I send email to your system, you can immediatly connect to > my internal tcp ports that might not normally have external access > available? ipfw does not really track the state, but ipfilter (ipf) does. My understanding (please correct me if I'm wrong!) is that ipfw could be fooled by incoming packets spoofing the state of the connection, whereas ipf keeps its own table and relies on that instead of the incoming packets' assertions. -=r=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011030102625.U73979-100000>