Date: Wed, 3 Jan 2001 16:37:50 -0500 (EST) From: Darren Henderson <darren@nighttide.net> To: Steven Kehlet <kehlet@fisix.com> Cc: Rene de Vries <freebsd@canyon.demon.nl>, Luigi Rizzo <rizzo@aciri.org>, <freebsd-security@freebsd.org> Subject: Re: statefull packet filter together with natd question Message-ID: <Pine.BSF.4.30.0101031627500.26162-100000@localhost> In-Reply-To: <20010103120449.A66966@leviathan.techfuel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 3 Jan 2001, Steven Kehlet wrote: > numbers on established packets, etc). I see you got this from > http://www.bsdtoday.com/2000/December/Features359.html. Yes, it was a very helpful site. Hopefully I haven't given the impression that this was personal creation; in future I need to make notation regarding source material for such things. It is simply the current rule set on one of my system. > You could improve security by instead denying all established > packets and putting this check after your check-state rule (as the > ipfw manpage suggests). : > My question was: how can we arrange our rules to avoid creating > this second superfluous dynamic rule? Luigi suggested adding > keep-state on the natd rule itself, which I will try tonight. Ah, I did suspect I had missed the full nature of the problem. On the off chance that I hadn't I just wanted to forward what I had, I know searching for answers can be quite time consuming on occassion and I had it on hand. Luigi's suggestion sounds promissing. Best of luck, Darren ______________________________________________________________________ Darren Henderson darren@nighttide.net Help fight junk e-mail, visit http://www.cauce.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.30.0101031627500.26162-100000>