Date: Mon, 31 Jul 2000 07:04:59 +0200 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules Message-ID: <20000731070459.M24476@speedy.gsinet> In-Reply-To: <3984AB32.53B8D793@math.missouri.edu>; from stephen@math.missouri.edu on Sun, Jul 30, 2000 at 05:24:50PM -0500 References: <20000730194202.447F937B6C1@hub.freebsd.org> <3984AB32.53B8D793@math.missouri.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jul 30, 2000 at 17:24 -0500, stephen@math.missouri.edu wrote: > > All this bad behavior could be stopped by having a rule > > add pass tcp from any to any established > > before all the other rules, but in that case why have dynamic > rules at all? It depends on the criterion behing the "established" keyword. Do you have a state table on your own or do you believe in a (foreign!) TCP packet flag? The latter would be very much like putting a guard at the door having people pass through based on their(!) answer to the question "are you allowed to walk in?". There's no real point in doing so without comparing the answer against what the guard should think who's allowed. Admittedly, when the "guest" has no appointment and thus nobody to talk to or to walk around with, he cannot "misinform" or "misinstruct" an employee. But what are they doing in the building in the first place? May I suggest reading the ipfilter HowTo at http://www.obfuscation.org/ipf/ ? It has a lot of general stuff so it's of use for anyone implementing a packet filter. But using anything other than ipf after reading this you notice what's missing. :) Unless others have caught up. But I feel they're just about to do so. Until then I prefer the original with the code that has been around for a while. :) virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000731070459.M24476>