From owner-freebsd-security  Wed Jan  3 13:38: 9 2001
From owner-freebsd-security@FreeBSD.ORG  Wed Jan  3 13:38:07 2001
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from jasper.nighttide.net (jasper.nighttide.net [216.227.178.18])
	by hub.freebsd.org (Postfix) with ESMTP id CCB6637B400
	for <freebsd-security@freebsd.org>; Wed,  3 Jan 2001 13:38:05 -0800 (PST)
Received: from localhost (darren@localhost)
	by jasper.nighttide.net (8.11.1/8.11.1) with ESMTP id f03Lbo626233;
	Wed, 3 Jan 2001 16:37:50 -0500 (EST)
	(envelope-from darren@nighttide.net)
Date: Wed, 3 Jan 2001 16:37:50 -0500 (EST)
From: Darren Henderson <darren@nighttide.net>
Sender: <darren@nighttide.net>
To: Steven Kehlet <kehlet@fisix.com>
Cc: Rene de Vries <freebsd@canyon.demon.nl>,
	Luigi Rizzo <rizzo@aciri.org>, <freebsd-security@freebsd.org>
Subject: Re: statefull packet filter together with natd question
In-Reply-To: <20010103120449.A66966@leviathan.techfuel.com>
Message-ID: <Pine.BSF.4.30.0101031627500.26162-100000@localhost>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, 3 Jan 2001, Steven Kehlet wrote:

> numbers on established packets, etc).  I see you got this from
> http://www.bsdtoday.com/2000/December/Features359.html.

Yes, it was a very helpful site. Hopefully I haven't given the impression
that this was personal creation; in future I need to make notation
regarding source material for such things. It is simply the current rule
set on one of my system.

> You could improve security by instead denying all established
> packets and putting this check after your check-state rule (as the
> ipfw manpage suggests).
:
> My question was: how can we arrange our rules to avoid creating
> this second superfluous dynamic rule?  Luigi suggested adding
> keep-state on the natd rule itself, which I will try tonight.

Ah, I did suspect I had missed the full nature of the problem. On the off
chance that I hadn't I just wanted to forward what I had, I know searching
for answers can be quite time consuming on occassion and I had it on hand.

Luigi's suggestion sounds promissing.

Best of luck,
Darren

______________________________________________________________________
Darren Henderson                                  darren@nighttide.net

                   Help fight junk e-mail, visit http://www.cauce.org/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message