Re: can I use keep-state for icmp rules?
From: Mipam (mipam@ibb.net)
Date: 10/31/01
- Next message: DK-CERT: "(no subject)"
- Previous message: Michael Scheidell: "Re: can I use keep-state for icmp rules?"
- In reply to: Michael Scheidell: "Re: can I use keep-state for icmp rules?"
- Next in thread: Antonio Carlos Pina: "Re: can I use keep-state for icmp rules?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 31 Oct 2001 14:36:33 +0100 From: Mipam <mipam@ibb.net> To: Michael Scheidell <scheidell@fdma.com>
> > TCP
> > src_ip.src_port ----> dst_ip.dst_port
> >
> > I can send _any_ TCP packet back,
> >
> > TCP
> > src_ip.src_port <---- dst_ip.dst_port
> >
> > And it will pass provided the source and destination IP and ports all
> > line up. ipfw(8) does not consider the TCP flags, sequence number,
Bit off topic, but nowadays still a lot of so called 'best' and great
commercial firewalls still dont check the sequence number for example.
Would be good enough for udp state keeping in a way,
but not for tcp. Not to mention icmp statekeeping which still
isn't possible in many products.
Mipam.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: DK-CERT: "(no subject)"
- Previous message: Michael Scheidell: "Re: can I use keep-state for icmp rules?"
- In reply to: Michael Scheidell: "Re: can I use keep-state for icmp rules?"
- Next in thread: Antonio Carlos Pina: "Re: can I use keep-state for icmp rules?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
