Date: Thu, 1 Nov 2001 06:35:16 -0200 From: "Mario de Oliveira Lobo Neto" <Mlobo@ear.com.br> To: cjclark@alum.mit.edu Cc: freebsd-security@freebsd.org Subject: Re: can I use keep-state for icmp rules? Message-ID: <3BE0FB2F.32137.8E1D80C@localhost> In-Reply-To: <20011031131434.B246@gohan.cjclark.org> References: <20011031152625.8040B137CB@xlr82xs.shacknet.nu>; from xlr82xs@xlr82xs.shacknet.nu on Thu, Nov 01, 2001 at 01:26:21AM %2B1000
next in thread | previous in thread | raw e-mail | index | archive | help
> On Thu, Nov 01, 2001 at 01:26:21AM +1000, David Trzcinski wrote: > [snip] > > > i dont use keep-state for my tcp either, with > > > > ipfw add allow tcp from any to any out via <interface> > > ipfw add allow log tcp from any to any 80 in via <interface> setup > > ipfw add allow tcp from any to any in via <interface> connected > > ipfw add deny log tcp from any to any in via <interface> > > > > which, as far as i know should stop the problems mentioned with useing > > keepstate.. > > > > if i'm wrong, please tell me :) > > Doing a stateless packet filter for TCP has some problems. It is > trivial to scan for the topology of the network behind the firewall > for example. It is possible to fingerprint network stacks to some > extent through a stateless packet filter. > -- > Crist J. Clark cjclark@alum.mit.edu Forgive me if this is a stupid question but could you give a hint (or directions to learn) when and in which type/port ipfw rules shoud keepstate be used ? Thanks - *** Mario Lobo *** Head of Computer Department *** American School of Recife To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BE0FB2F.32137.8E1D80C>