Date: Wed, 31 Oct 2001 13:14:34 -0800 From: "Crist J. Clark" <cristjc@earthlink.net> To: xlr82xs@sdf.lonestar.org Cc: freebsd-security@freebsd.org Subject: Re: can I use keep-state for icmp rules? Message-ID: <20011031131434.B246@gohan.cjclark.org> In-Reply-To: <20011031152625.8040B137CB@xlr82xs.shacknet.nu>; from xlr82xs@xlr82xs.shacknet.nu on Thu, Nov 01, 2001 at 01:26:21AM %2B1000 References: <009c01c16017$dca045d0$0603a8c0@MIKELT> <000901c1620f$51428530$2801010a@MIKELT> <004001c1621c$e85bc820$0b6cffc8@infolink.com.br> <20011031152625.8040B137CB@xlr82xs.shacknet.nu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 01, 2001 at 01:26:21AM +1000, David Trzcinski wrote: [snip] > i dont use keep-state for my tcp either, with > > ipfw add allow tcp from any to any out via <interface> > ipfw add allow log tcp from any to any 80 in via <interface> setup > ipfw add allow tcp from any to any in via <interface> connected > ipfw add deny log tcp from any to any in via <interface> > > which, as far as i know should stop the problems mentioned with useing > keepstate.. > > if i'm wrong, please tell me :) Doing a stateless packet filter for TCP has some problems. It is trivial to scan for the topology of the network behind the firewall for example. It is possible to fingerprint network stacks to some extent through a stateless packet filter. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011031131434.B246>