Date: Thu, 12 Sep 2002 17:53:44 +0000 From: Pierre-Olivier Fur <pof@teamlog.com> To: dfolkins <dfolkins@comcast.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw, natd, and keep-state - strange behavior? Message-ID: <3D80D4A8.5040106@teamlog.com> References: <200209121456.g8CEuIVp012004@bunrab.catwhisker.org> <00d501c25a6e$92582db0$0a00a8c0@groovy3xp>
next in thread | previous in thread | raw e-mail | index | archive | help
I agree dfolkins stateful packet filtering is really cool :) and having stateful and stateless enable at the same time like David is non usefull. I have nothing against ipfw cause it's FreeBSD made, but if you really want to use statefull packet filtering at its best I recommend you to use a native statefull packet filter. dfolkins wrote: > well, of course that would work, but the regular tcpflags ack rules are less > restrictive. i.e. they tend to allow all ack packets through, which opens > doors for ack-tunneling trojans, not to mention ack packet ddos. that's why > i wanted to make all rules keep-state. and besides, keep-state is _cool_. > :) > ----- Original Message ----- > From: "David Wolfskill" <david@catwhisker.org> > To: <dfolkins@comcast.net> > Sent: Thursday, September 12, 2002 10:56 AM > Subject: Re: ipfw, natd, and keep-state - strange behavior? > > > >>What I did was use the stateful stuff (only) for UDP; for TCP, I used >>the "established" flag. And I haven't seen the problems you report. >> >>Cheers, >>david >>-- >>David H. Wolfskill david@catwhisker.org >>To paraphrase David Hilbert, there can be no conflicts between the >>discipline of systems administration and Microsoft, since they have >>nothing in common. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D80D4A8.5040106>