Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 12 Sep 2009 22:52:29 +0800
From:      Cypher Wu <>
To:        Luigi Rizzo <>
Subject:   Re: Transparent firewall & Dynamic rules
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Thanks a lot. It seems that I've misunderstood 'transparent firewall'.

On Sat, Sep 12, 2009 at 10:10 PM, Luigi Rizzo <> wrote:
> On Sat, Sep 12, 2009 at 09:51:04PM +0800, Cypher Wu wrote:
>> It's seems fine, but I still have some questions:
>> 1. The endpoint will response to the keepalive TCP segment and the
>> destination will be the other endpoint, will IPFW just let it though
>> like the usual IP packet, or try to figure it out and drop it?
> it will let the packet through.
>> 2. If I have two computer I can make sure both end are not using
>> keepalive, then I can still figure out there is a firewall between
>> these two computers?
> you can disable the keepalives on the firewall (if there is no
> sysctl for it, it's a trivial code change anyways), and you
> can set a large timeout.
> but by definition the presence of a firewall _is_ detectable,
> unless it blocks nothing so it is just a logger and not a firewall.
> 'transparent' referred to a middlebox means
> "it does not require endpoint reconfiguration", not that
> it is undetectable.

Want to link to this message? Use this URL: <>