Date: Thu, 1 Nov 2001 12:27:08 -0800 From: "Crist J. Clark" <cristjc@earthlink.net> To: Jason DiCioccio <geniusj@bluenugget.net> Cc: Michael Scheidell <scheidell@fdma.com>, freebsd-security@freebsd.org Subject: Re: can I use keep-state for icmp rules? Message-ID: <20011101122708.C4360@blossom.cjclark.org> In-Reply-To: <20011031144209.A89351@bluenugget.net>; from geniusj@bluenugget.net on Wed, Oct 31, 2001 at 02:42:09PM -0800 References: <009c01c16017$dca045d0$0603a8c0@MIKELT> <20011029153954.B224@gohan.cjclark.org> <005501c1613f$dfb46520$0603a8c0@MIKELT> <20011030164253.C223@gohan.cjclark.org> <000901c1620f$51428530$2801010a@MIKELT> <20011031130817.A246@gohan.cjclark.org> <20011031144209.A89351@bluenugget.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 31, 2001 at 02:42:09PM -0800, Jason DiCioccio wrote:
> On Wed, Oct 31, 2001 at 01:08:17PM -0800, Crist J. Clark wrote:
> [snip]
> > Not sure if checking more "carefully" is an accurate statement, but
> > IPFilter does only allow TCP packets that it "expects" back in. It
> > does track sequence numbers which ipfw(8) does not track at all.
> [snip]
>
> Now I'm curious. Will using "flags S" after keep state rules in ipfilter
> degrade the quality of ipf's stateful inspection?
It just affects what types of TCP segments can cause an entry to be
added to the state table. In your case, the TCP segment in the packet
must have the SYN-bit flipped on. It does not impact how checking
against the table is done.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011101122708.C4360>