Date: Wed, 31 Oct 2001 14:42:09 -0800 From: Jason DiCioccio <geniusj@bluenugget.net> To: cjclark@alum.mit.edu Cc: Michael Scheidell <scheidell@fdma.com>, freebsd-security@freebsd.org Subject: Re: can I use keep-state for icmp rules? Message-ID: <20011031144209.A89351@bluenugget.net> In-Reply-To: <20011031130817.A246@gohan.cjclark.org> References: <009c01c16017$dca045d0$0603a8c0@MIKELT> <20011029153954.B224@gohan.cjclark.org> <005501c1613f$dfb46520$0603a8c0@MIKELT> <20011030164253.C223@gohan.cjclark.org> <000901c1620f$51428530$2801010a@MIKELT> <20011031130817.A246@gohan.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--ew6BAiZeqk4r7MaW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 31, 2001 at 01:08:17PM -0800, Crist J. Clark wrote: [snip] > Not sure if checking more "carefully" is an accurate statement, but > IPFilter does only allow TCP packets that it "expects" back in. It > does track sequence numbers which ipfw(8) does not track at all. [snip] Now I'm curious. Will using "flags S" after keep state rules in ipfilter degrade the quality of ipf's stateful inspection? I know it is recommended= (at least on the ipfilter webpage) to use flags S for tcp keep state rules if y= our state table is filling up, if not in all cases. I'm just curious to know whether using that 'flags S' will make the inspection work more like ipfw's. If so, I might have to reconsider my use of it. :-) Thanks, -JD- --=20 Jason DiCioccio - geniusj@bsd.st - PGP Key @ http://bsd.st/~geniusj/pgpkey.= asc PGP Key Fingerprint C442 04E2 26B0 3809 8357 96AB D350 9596 0436 7C08 --ew6BAiZeqk4r7MaW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBO+B+PtNQlZYENnwIEQIxZgCfRhpCUnFou4DGCXxcwjgluThBWCUAnish d8nuebBphdZmlaKf6Um4dzA4 =OMlg -----END PGP SIGNATURE----- --ew6BAiZeqk4r7MaW-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011031144209.A89351>