[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pf keep state, does it open up holes?
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: pf keep state, does it open up holes?
- From: Diana Eichert <deichert_(_at_)_wrench_(_dot_)_com>
- Date: Tue, 21 Dec 2004 16:35:08 -0700 (MST)
On Tue, 21 Dec 2004, T. wrote:
> Does having the keep state option in pf.conf for outgoing traffic open
> up a security threat/hole in any way. Could for instance som website
> that I have visited get through my firewall and do nasty things?
> Thank you.
(Please wrap your lines at ~ 72 char)
PF is NOT going to protect you against any browser related exploits if
you've initiated a connection from within.
15,000 meter view
You're talking TCP with your browser so there is very little if any risk
with a TCP keep state, because TCP is connection oriented. Now when you
do a UDP keep state rule you're creating a "state" for something that is
inherently state less due to the connection less nature of UDP based
protocols. With UDP you create an artificial state with a defined time