[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf keep state, does it open up holes?

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: pf keep state, does it open up holes?
From: Diana Eichert <deichert_(_at_)_wrench_(_dot_)_com>
Date: Tue, 21 Dec 2004 16:35:08 -0700 (MST)

On Tue, 21 Dec 2004, T. wrote:

> Does having the keep state option in pf.conf for outgoing traffic open
> up a security threat/hole in any way. Could for instance som website
> that I have visited get through my firewall and do nasty things?
>  
> Thank you.

(Please wrap your lines at ~ 72 char)

PF is NOT going to protect you against any browser related exploits if
you've initiated a connection from within.

15,000 meter view

You're talking TCP with your browser so there is very little if any risk
with a TCP keep state, because TCP is connection oriented.  Now when you
do a UDP keep state rule you're creating a "state" for something that is
inherently state less due to the connection less nature of UDP based
protocols.  With UDP you create an artificial state with a defined time
frame.

References:
- pf keep state, does it open up holes?
  - From: T.

Prev by Date: email hosting & admin with apache chroot
Next by Date: Re: isakmpd with XP client and X.509: Problem after IKE Phase1, Step 3
Previous by thread: Re: pf keep state, does it open up holes?
Next by thread: Re: pf keep state, does it open up holes?
Index(es):
- Date
- Thread

Visit your host, monkey.org