From owner-freebsd-security Thu Sep 12 8:11:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D12CC37B400 for ; Thu, 12 Sep 2002 08:11:24 -0700 (PDT) Received: from smtp.comcast.net (smtp.comcast.net [24.153.64.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A9E743E72 for ; Thu, 12 Sep 2002 08:11:24 -0700 (PDT) (envelope-from dfolkins@comcast.net) Disposition-notification-to: dfolkins@comcast.net Received: from groovy3xp (pcp01731796pcs.selrsv01.pa.comcast.net [68.83.131.193]) by mtaout04.icomcast.net (iPlanet Messaging Server 5.1 HotFix 0.8 (built May 13 2002)) with SMTP id <0H2B00KFEZI7IG@mtaout04.icomcast.net> for freebsd-security@FreeBSD.ORG; Thu, 12 Sep 2002 11:10:55 -0400 (EDT) Date: Thu, 12 Sep 2002 11:10:46 -0400 From: dfolkins Subject: Re: ipfw, natd, and keep-state - strange behavior? To: freebsd-security@FreeBSD.ORG Message-id: <00d501c25a6e$92582db0$0a00a8c0@groovy3xp> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 7BIT X-Priority: 3 X-MSMail-priority: Normal References: <200209121456.g8CEuIVp012004@bunrab.catwhisker.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org well, of course that would work, but the regular tcpflags ack rules are less restrictive. i.e. they tend to allow all ack packets through, which opens doors for ack-tunneling trojans, not to mention ack packet ddos. that's why i wanted to make all rules keep-state. and besides, keep-state is _cool_. :) ----- Original Message ----- From: "David Wolfskill" To: Sent: Thursday, September 12, 2002 10:56 AM Subject: Re: ipfw, natd, and keep-state - strange behavior? > What I did was use the stateful stuff (only) for UDP; for TCP, I used > the "established" flag. And I haven't seen the problems you report. > > Cheers, > david > -- > David H. Wolfskill david@catwhisker.org > To paraphrase David Hilbert, there can be no conflicts between the > discipline of systems administration and Microsoft, since they have > nothing in common. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message