|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Darren Reed (darrenr
reed.wattle.id.au)Date: Thu Jul 19 2001 - 04:02:46 CDT
In some email I received from Emmanuel Dreyfus, sie wrote:
[Charset iso-8859-1 unsupported, filtering to ASCII...]
> Hi!
>
> One question about IPF: If I have a tcp keep state rule, I understood that
> any valid ICMP traffic about the TCP connexion would be allowed without
> rule checking.
>
> Does that means that someone able to snoop the TCP connexion would be able
> to forge an ICMP redirect packet, and that there is now way to stop this?
[...]
Correct. This is nearly never useful because the "next hop" that is the
redirected gateway must be on the local LAN.
Darren
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]