Date: Thu, 12 Sep 2002 11:10:46 -0400 From: dfolkins <dfolkins@comcast.net> To: freebsd-security@FreeBSD.ORG Subject: Re: ipfw, natd, and keep-state - strange behavior? Message-ID: <00d501c25a6e$92582db0$0a00a8c0@groovy3xp> References: <200209121456.g8CEuIVp012004@bunrab.catwhisker.org>
next in thread | previous in thread | raw e-mail | index | archive | help
well, of course that would work, but the regular tcpflags ack rules are less restrictive. i.e. they tend to allow all ack packets through, which opens doors for ack-tunneling trojans, not to mention ack packet ddos. that's why i wanted to make all rules keep-state. and besides, keep-state is _cool_. :) ----- Original Message ----- From: "David Wolfskill" <david@catwhisker.org> To: <dfolkins@comcast.net> Sent: Thursday, September 12, 2002 10:56 AM Subject: Re: ipfw, natd, and keep-state - strange behavior? > What I did was use the stateful stuff (only) for UDP; for TCP, I used > the "established" flag. And I haven't seen the problems you report. > > Cheers, > david > -- > David H. Wolfskill david@catwhisker.org > To paraphrase David Hilbert, there can be no conflicts between the > discipline of systems administration and Microsoft, since they have > nothing in common. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00d501c25a6e$92582db0$0a00a8c0>