From owner-freebsd-security Thu Sep 12 8:55:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE92E37B400 for ; Thu, 12 Sep 2002 08:55:48 -0700 (PDT) Received: from au-ml2.teamlog.fr (smtp-paris1.teamlog.com [213.41.116.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A46A43E77 for ; Thu, 12 Sep 2002 08:54:00 -0700 (PDT) (envelope-from pof@teamlog.com) Received: from teamlog.com (proxy-paris1.teamlog.fr [213.41.116.89]) by au-ml2.teamlog.fr (8.12.4/8.12.4) with ESMTP id g8CFhfsL025694; Thu, 12 Sep 2002 17:43:41 +0200 Message-ID: <3D80D4A8.5040106@teamlog.com> Date: Thu, 12 Sep 2002 17:53:44 +0000 From: Pierre-Olivier Fur Reply-To: pof@teamlog.com Organization: Teamlog User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020702 X-Accept-Language: en-us, en MIME-Version: 1.0 To: dfolkins Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw, natd, and keep-state - strange behavior? References: <200209121456.g8CEuIVp012004@bunrab.catwhisker.org> <00d501c25a6e$92582db0$0a00a8c0@groovy3xp> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I agree dfolkins stateful packet filtering is really cool :) and having stateful and stateless enable at the same time like David is non usefull. I have nothing against ipfw cause it's FreeBSD made, but if you really want to use statefull packet filtering at its best I recommend you to use a native statefull packet filter. dfolkins wrote: > well, of course that would work, but the regular tcpflags ack rules are less > restrictive. i.e. they tend to allow all ack packets through, which opens > doors for ack-tunneling trojans, not to mention ack packet ddos. that's why > i wanted to make all rules keep-state. and besides, keep-state is _cool_. > :) > ----- Original Message ----- > From: "David Wolfskill" > To: > Sent: Thursday, September 12, 2002 10:56 AM > Subject: Re: ipfw, natd, and keep-state - strange behavior? > > > >>What I did was use the stateful stuff (only) for UDP; for TCP, I used >>the "established" flag. And I haven't seen the problems you report. >> >>Cheers, >>david >>-- >>David H. Wolfskill david@catwhisker.org >>To paraphrase David Hilbert, there can be no conflicts between the >>discipline of systems administration and Microsoft, since they have >>nothing in common. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message