Re: can I use keep-state for icmp rules?

From: Crist J. Clark (cristjc@earthlink.net)
Date: 11/02/01 

Date: Thu, 1 Nov 2001 23:14:41 -0800
From: "Crist J. Clark" <cristjc@earthlink.net>
To: gregw-freebsd-security@greg.cex.ca, freebsd-security@FreeBSD.ORG

On Thu, Nov 01, 2001 at 10:24:30PM -0800, Greg White wrote:
> On Thu Nov 11/01/01, 2001 at 09:13:51PM -0800, Crist J. Clark wrote:

[snip]

> > If you only want to catch an outgoing, initial SYN, you want
> > 'flags S/SA'.
>
> Really? That was not my understanding of the ipfilter docs, nor does it
> seem to match the output of ipfstat:

Oops. You are correct. I misread the ipf(5) manpage. It says in the
'flags' section,

                                              However, to guard
              against weird aberrations, it is necessary to state
              which flags you are filtering against.

However, it later states that the behavior you observed is what
actually happens. It is not actually _necessary_ to state which flags
you are filtering against.

And thinking about this more, I did know this 'cause looking at an old
configuration on an OpenBSD host with a firewall, I used this behavior
to do some specialized logging.

Sorry for the confusion. 

-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: [PATCH 0/13] maps: pagemap, kpagemap, and related cleanups
    ... Ooh, you wanted a _runtime_ mapping of flags, yeah then I guess that works. ... This isn't a tool for understanding kernel behaviour. ... OK I realise you could do it that way, but systemtap can definitely be ...
    (Linux-Kernel)
  • Re: [PATCH 0/13] maps: pagemap, kpagemap, and related cleanups
    ... Still seems like a basically hit and miss affair to just use flags. ... This isn't a tool for understanding kernel behaviour. ... More majordomo info at http://vger.kernel.org/majordomo-info.html ...
    (Linux-Kernel)
  • Re: "to see a man about a dog"
    ... because he doesn't strew his posts with little flags. ... provide you with short-cuts to understanding. ... Nothing to do with "little flags", whatever you mean by that phrase. ...
    (alt.usage.english)
  • Re: NYC demonstration - Monday 19th noon-1pm
    ... > understanding this concept.. ... Peope ask them nicely also and they refuse.. ... They do not understand the concept of no flags ... You are begining to sound like the broken record on the FPM forum, ...
    (soc.culture.lebanon)