Date: Fri, 21 Jan 2000 08:55:32 -0800 (PST) From: Brian Kraemer <kraemer@u.washington.edu> To: Darren Reed <avalon@coombs.anu.edu.au> Cc: freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Subject: Re: bugtraq posts: stream.c - new FreeBSD exploit? Message-ID: <Pine.A41.4.10.10001210852260.109950-100000@mead2.u.washington.edu> In-Reply-To: <200001210421.PAA25285@cairo.anu.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 21 Jan 2000, Darren Reed wrote: > btw, I think the better way to write the 3 rules is: > > block in quick proto tcp from any to any head 100 > pass in quick proto tcp from any to any flags S keep state group 100 > pass in all If I'm not mistaken, this ruleset (and no other rules) will also effectively block any outgoing TCP sessions initiated from this machine. The machine will send a SYN, and then get blocked because the input rules never saw an incoming SYN to start keeping state. I assume a rule that keeps state on the outgoing would fix this? -Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.A41.4.10.10001210852260.109950-100000>