Re: TCP question

To: Michael Meskes <meskes@debian.org>
Cc: Debian Development <debian-firewall@lists.debian.org>
Subject: Re: TCP question
From: Tamas TEVESZ <ice@extreme.hu>
Date: Mon, 13 Mar 2000 17:01:06 +0100 (CET)
Message-id: <Pine.LNX.4.21.0003131652150.9516-100000@mailtrans.sote.hu>
In-reply-to: <20000313154131.A425@fam-meskes.de>

On Mon, 13 Mar 2000, Michael Meskes wrote:

 > I'm currently working on the next version of the statefule packet filter
 > (spf) that I packaged for Debian. This program has an option
 > ALLOW_ESTABLISHED_TCP that is enabled by default and I wonder if this really
 > is a good idea.
 > 
 > What this option does is allow all packets that are part of an established
 > TCP connection. Or in other words the input chains has an ACCEPT rule that
 > lists neither source nor destinatioan address but only asks for the SYN bit
 > not set.

excuse me ?

am i understing right that this allows the inbound side of
(claimed to be) established connections _that do not have an entry in
the state table_ ? (ie. never been ``initialized'' properly, at
least without the fw putting an entry in the state table?)

if it's so, then, imho, it's crap. if not, then either the fw has some
seriuos problems (connections made through it and it does not know
about), or i don't get the whole picture at all...

-- 
[-]
kazmer at any cost !

Reply to:

References:
- TCP question
  - From: Michael Meskes <meskes@debian.org>

Prev by Date: TCP question
Next by Date: dead horse
Previous by thread: TCP question
Next by thread: Re: TCP question
Index(es):
- Date
- Thread