Date: Tue, 30 Oct 2001 11:52:14 -0500 (EST) From: Ralph Huntington <rjh@mohawk.net> To: Dag-Erling Smorgrav <des@ofug.org> Cc: Michael Scheidell <scheidell@fdma.com>, <freebsd-security@FreeBSD.ORG> Subject: Re: can I use keep-state for icmp rules? Message-ID: <20011030115012.Y73979-100000@mohegan.mohawk.net> In-Reply-To: <xzpn129yt94.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On 30 Oct 2001, Dag-Erling Smorgrav wrote: > Ralph Huntington <rjh@mohawk.net> writes: > > ipfw does not really track the state, but ipfilter (ipf) does. My > > understanding (please correct me if I'm wrong!) is that ipfw could be > > fooled by incoming packets spoofing the state of the connection, whereas > > ipf keeps its own table and relies on that instead of the incoming > > packets' assertions. -=r=- > > Not true. Both ipf and ipfw can do both stateless and stateful > inspection. Can you be more specific? They both do stateful inspections, yes, but ipfw inspects the incoming packets' headers for the state information, whereas ipf inspects its own state table to associate incoming packets with a particular connection. Is that correct or has ipfw been changed? -=r=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011030115012.Y73979-100000>