Date: Mon, 24 Jan 2000 09:09:33 +0100 From: Guido van Rooij <guido@gvr.org> To: Brett Glass <brett@lariat.org> Cc: Mikhail Teterin <mi@kot.ne.mediaone.net>, Darren Reed <avalon@coombs.anu.edu.au>, Warner Losh <imp@village.org>, jamiE rishaw - master e*tard <jamiE@arpa.com>, Tom <tom@uniserve.com>, Mike Tancsa <mike@sentex.net>, freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Subject: Re: bugtraq posts: stream.c - new FreeBSD exploit? Message-ID: <20000124090933.A19088@gvr.gvr.org> In-Reply-To: <4.2.2.20000120223838.019309d0@localhost>; from Brett Glass on Thu, Jan 20, 2000 at 10:43:57PM -0700 References: <200001210421.PAA25285@cairo.anu.edu.au> <200001210531.AAA26807@rtfm.newton> <4.2.2.20000120223838.019309d0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jan 20, 2000 at 10:43:57PM -0700, Brett Glass wrote: > Unfortunately, no. IPFW is stateless (at least from packet > to packet). This makes it compact and fast but unable to > detect or handle some situations by itself. > > You could write a daemon that hung off of a divert(4) > socket (as natd does) to do this, but serious juju would > be required. > The current way heart of the TCP stateful filtering engine in ipfilter was designed by me. I am preparing an article on it which will be preseneted at the European SANE conference (http://www.nluug.nl/events/sane2000/index.html). Once my article is ready you can probably easily use it to make such a east for ipfw. -Guido in To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000124090933.A19088>