On Thu, Nov 01, 2001 at 10:24:30PM -0800, Greg White wrote:
> On Thu Nov 11/01/01, 2001 at 09:13:51PM -0800, Crist J. Clark wrote:

[snip]

> > If you only want to catch an outgoing, initial SYN, you want
> > 'flags S/SA'.
>
> Really? That was not my understanding of the ipfilter docs, nor does it
> seem to match the output of ipfstat:

Oops. You are correct. I misread the ipf(5) manpage. It says in the
'flags' section,

                                              However, to guard
              against weird aberrations, it is necessary to state
              which flags you are filtering against.

However, it later states that the behavior you observed is what
actually happens. It is not actually _necessary_ to state which flags
you are filtering against.

And thinking about this more, I did know this 'cause looking at an old
configuration on an OpenBSD host with a firewall, I used this behavior
to do some specialized logging.

Sorry for the confusion.

-- 
Crist J. Clark                     |     cjclarkalum.mit.edu
                                   |     cjclarkjhu.edu
http://people.freebsd.org/~cjc/    |     cjcfreebsd.org
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]