[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: the keep state rule

To: misc@openbsd.org
Subject: Re: the keep state rule
From: Rémi Guyomarch <rguyom@pobox.com>
Date: Thu, 1 Mar 2001 20:09:54 +0100
Content-Disposition: inline
References: <5.0.2.1.0.20010228174702.02589ec0@mail.planete-marseille.fr>
User-Agent: Mutt/1.2.5i

On Wed, Feb 28, 2001 at 05:52:23PM +0100, Maxime Longuet wrote:
> I've bridge + Ipf
> 
> xl0 on my internal network
> xl1 on my routeur
> 
> I've this rules
> 
> pass in log quick on xl1 proto icmp from any to 193.56.133.70/32
> 
> pass in quick on xl1 proto icmp from any to 193.56.133.200/32
> 
> pass in quick on xl0 proto TCP/UDP all keep state
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This is wrong. Use that :

pass in quick on xl0 proto tcp from any to any flags S keep state keep frags
pass in quick on xl0 proto udp from any to any         keep state keep frags

"proto tcp" and "keep state" shouldn't be used without "flags S". See
the obsd-misc archives or the ipfilter mailing list archive to see
why.
Also, keeping state on UDP might gives you a false sense of
security. Don't forget that UDP in connection-less.

-- 
Rémi

Prev by Date: Re: A rookie question on BIND &/| name servers
Next by Date: Re: Quick bridging question
Prev by thread: Re: openbsd's sendmail - how save is it?
Next by thread: port info in ipflog missing
Index(es):
- Date
- Thread