I agree dfolkins stateful packet filtering is really cool :) and having
stateful and stateless enable at the same time like David is non
usefull. I have nothing against ipfw cause it's FreeBSD made, but if you
really want to use statefull packet filtering at its best I recommend
you to use a native statefull packet filter.

dfolkins wrote:
> well, of course that would work, but the regular tcpflags ack rules are less
> restrictive. i.e. they tend to allow all ack packets through, which opens
> doors for ack-tunneling trojans, not to mention ack packet ddos. that's why
> i wanted to make all rules keep-state. and besides, keep-state is _cool_.
> :)
> ----- Original Message -----
> From: "David Wolfskill" <davidcatwhisker.org>
> To: <dfolkinscomcast.net>
> Sent: Thursday, September 12, 2002 10:56 AM
> Subject: Re: ipfw, natd, and keep-state - strange behavior?
>
>
>
>>What I did was use the stateful stuff (only) for UDP; for TCP, I used
>>the "established" flag. And I haven't seen the problems you report.
>>
>>Cheers,
>>david
>>--
>>David H. Wolfskill davidcatwhisker.org
>>To paraphrase David Hilbert, there can be no conflicts between the
>>discipline of systems administration and Microsoft, since they have
>>nothing in common.
>
>
>
> To Unsubscribe: send mail to majordomoFreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]