From owner-freebsd-security@FreeBSD.ORG Sat Nov 11 21:18:07 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD10B16A415 for ; Sat, 11 Nov 2006 21:18:07 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [195.113.24.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id CBCAB43D68 for ; Sat, 11 Nov 2006 21:18:06 +0000 (GMT) (envelope-from dan@obluda.cz) X-Envelope-From: dan@obluda.cz Received: from [10.20.0.26] (openvpn.ms.mff.cuni.cz [195.113.20.87]) by smtp1.kolej.mff.cuni.cz (8.13.6/8.13.6) with ESMTP id kABLI3cC005859 for ; Sat, 11 Nov 2006 22:18:04 +0100 (CET) (envelope-from dan@obluda.cz) Message-ID: <45563E0B.6010509@obluda.cz> Date: Sat, 11 Nov 2006 22:18:03 +0100 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.0.7) Gecko/20061025 SeaMonkey/1.0.5 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <159176.35953.qm@web30310.mail.mud.yahoo.com> In-Reply-To: <159176.35953.qm@web30310.mail.mud.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to any established X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Nov 2006 21:18:07 -0000 R. B. Riddick napsal/wrote, On 11/11/06 20:33: >> Statefull rules can stop the sophisticated intruder, but are often more >> vulnerable to DoS attacks. > Hmm... U mean, when someone creates a lot of states? > At least pf can limit that... Yes. "Limit" mean - some packet (connections, states) are denied. The rest is question - is algorithm smart enough to limit attackers packet but no legitimate connections (or, at least, try to block attacker and try not to block legitimate connections). Especially against attacker with full knowledge of algorithm. > But here it looks like just the good guys can create a state (from the > good-network via the public network to the trusted web sites), so that states > can't hurt, I think... Yes, in that case you are true. Dan -- Dan Lukes SISAL MFF UK AKA: dan@obluda.cz, dan@freebsd.cz,dan@kolej.mff.cuni.cz