Date: Thu, 19 Jul 2001 11:29:24 -0400 (EDT) From: Ralph Huntington <rjh@mohawk.net> To: Dag-Erling Smorgrav <des@ofug.org> Cc: "Sergey N. Voronkov" <serg@tmn.ru>, Nick Maschenko <mnvhome@mail.ru>, security@FreeBSD.ORG Subject: Re: Fw: Re: A question about FreeBSD security Message-ID: <Pine.BSF.4.21.0107191119130.346-100000@mohegan.mohawk.net> In-Reply-To: <xzp1yndnurn.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
> > I prefer to use IPF 'cose of it's stateful filtering. > > IPFW can keep state as well. Ah, but do they keep state in the same way? How is that accomplished? Is one as secure as the other in this regard? My understanding (someone please correct me if I am wrong) is that IPFW relies on the incoming packets' own headers to infer the established state, whereas IPF keeps a table of outgoing packets (when told to keep state) and matches incoming packets to the entries in the table to determine if they are actually in response to an outgoing packet. This seems to indicate that packets could be spoofed to fool IPFW regarding state. Would someone more knowledgeable about these firewalls please comment on this? Thank you very much. -=r=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0107191119130.346-100000>