[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf keep state, does it open up holes?

On Tue, 21 Dec 2004, T. wrote:

> Does having the keep state option in pf.conf for outgoing traffic open
> up a security threat/hole in any way. Could for instance som website
> that I have visited get through my firewall and do nasty things?
> Thank you.

(Please wrap your lines at ~ 72 char)

PF is NOT going to protect you against any browser related exploits if
you've initiated a connection from within.

15,000 meter view

You're talking TCP with your browser so there is very little if any risk
with a TCP keep state, because TCP is connection oriented.  Now when you
do a UDP keep state rule you're creating a "state" for something that is
inherently state less due to the connection less nature of UDP based
protocols.  With UDP you create an artificial state with a defined time