Date: Thu, 18 May 2006 02:31:14 +0200 (CEST) From: "Max Laier" <max@love2party.net> To: "David Malone" <dwmalone@maths.tcd.ie> Cc: Max Laier <max@love2party.net>, src-committers@freebsd.org, cvs-all@freebsd.org, cvs-src@freebsd.org Subject: Re: cvs commit: src/sys/netinet ip_fw2.c Message-ID: <49258.192.168.4.1.1147912274.squirrel@mail.abi01.homeunix.org> In-Reply-To: <200605160929.aa90920@salmon.maths.tcd.ie> References: Your message of "Tue, 16 May 2006 01:05:00 %2B0200." <52078.192.168.4.1.1147734300.squirrel@mail.abi01.homeunix.org> <200605160929.aa90920@salmon.maths.tcd.ie>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, May 16, 2006 10:29 am, David Malone wrote: >> Interesting - thanks for the pointer. Unless every stack DTRT we can't >> use the flow_id, though - or we break otherwise legal connections. In >> the >> given case we would open a state with SYN+flow_id and got a reply >> SYNACK+0 >> which wouldn't hash the same as the SYN we sent out. No matching state, >> no connection. > > Indeed - we need to get into the position where almost all stacks > do the right thing before we can use the flow label as a key of any > sort in the firewalling process. If people have noticed problems > with this, I'd be interested in knowing which stacks are incriminated. The PR has www.sixxs.net:80 as example, which seems to be running "Linux Apache/2.0.55 (Debian)" (according to netcraft). nmap wasn't really able to tell in my testing, but it should be possible to approach somebody at sixxs.net about it - they are very helpful and worried about IPv6. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49258.192.168.4.1.1147912274.squirrel>