From owner-freebsd-security@FreeBSD.ORG  Sat Nov 11 19:19:45 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 99FF616A47E
	for <freebsd-security@freebsd.org>;
	Sat, 11 Nov 2006 19:19:45 +0000 (UTC) (envelope-from dan@obluda.cz)
Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [195.113.24.4])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3DC0843D69
	for <freebsd-security@freebsd.org>;
	Sat, 11 Nov 2006 19:19:37 +0000 (GMT) (envelope-from dan@obluda.cz)
X-Envelope-From: dan@obluda.cz
Received: from [10.20.0.26] (openvpn.ms.mff.cuni.cz [195.113.20.87])
	by smtp1.kolej.mff.cuni.cz (8.13.6/8.13.6) with ESMTP id kABJJXvB000528
	for <freebsd-security@freebsd.org>;
	Sat, 11 Nov 2006 20:19:35 +0100 (CET) (envelope-from dan@obluda.cz)
Message-ID: <45562245.8070804@obluda.cz>
Date: Sat, 11 Nov 2006 20:19:33 +0100
From: Dan Lukes <dan@obluda.cz>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US;
	rv:1.8.0.7) Gecko/20061025 SeaMonkey/1.0.5
MIME-Version: 1.0
To: freebsd-security@freebsd.org
References: <216597.35069.qm@web30315.mail.mud.yahoo.com>
In-Reply-To: <216597.35069.qm@web30315.mail.mud.yahoo.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to
	any	established
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Nov 2006 19:19:45 -0000

R. B. Riddick napsal/wrote, On 11/11/06 20:00:
>> But I was scared, not undertstand what the established bit did, &
>> how easily an attacker might fake something, etc.
...
>> Should I still be worrying about 	established ?

> Hmm... I personally use "check-states" and "keep-state", so that it is not

	Statefull rules can stop the sophisticated intruder, but are often more 
vulnerable to DoS attacks.

	Every method has pros and cons ...

					Dan

	

-- 
Dan Lukes                                   SISAL MFF UK
AKA: dan@obluda.cz, dan@freebsd.cz,dan@kolej.mff.cuni.cz