Date: Wed, 31 Oct 2001 14:36:33 +0100 From: Mipam <mipam@ibb.net> To: Michael Scheidell <scheidell@fdma.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: can I use keep-state for icmp rules? Message-ID: <20011031143633.E397@ibb1150.ibb.uu.nl> In-Reply-To: <000901c1620f$51428530$2801010a@MIKELT>; from scheidell@fdma.com on Wed, Oct 31, 2001 at 08:24:05AM -0500 References: <009c01c16017$dca045d0$0603a8c0@MIKELT> <20011029153954.B224@gohan.cjclark.org> <005501c1613f$dfb46520$0603a8c0@MIKELT> <20011030164253.C223@gohan.cjclark.org> <000901c1620f$51428530$2801010a@MIKELT>
next in thread | previous in thread | raw e-mail | index | archive | help
> > TCP > > src_ip.src_port ----> dst_ip.dst_port > > > > I can send _any_ TCP packet back, > > > > TCP > > src_ip.src_port <---- dst_ip.dst_port > > > > And it will pass provided the source and destination IP and ports all > > line up. ipfw(8) does not consider the TCP flags, sequence number, Bit off topic, but nowadays still a lot of so called 'best' and great commercial firewalls still dont check the sequence number for example. Would be good enough for udp state keeping in a way, but not for tcp. Not to mention icmp statekeeping which still isn't possible in many products. Mipam. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011031143633.E397>