[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: question about SPF (mr Meskes, I suppose?)

On Wed, 22 Mar 2000, Michael Meskes wrote:

> Yes, udp is stateless, but we are talking about a stateful filter i.e. a
> firewall that keeps track of all open connections and enables packets to get
> in if and only if a connections was initiated from the inside.
> And this works for udp as well. For instance my spf sets up a rule
> everytime I query a name server. But if I do not do that no udp packet
> from port 53 on the internet may enter.

I have seen this work beautifully on a host. Does it work equally well
with a firewall? I mean: does spf set up rules _only_ for traffic
originating from the same host it is running on or, instead, does it also
set up rules for traffic _forwarded_ by the host it is running on but not
originating from it? If the second case is true, this is a good enough
reason to upgrade our firewall from slink to potato in order to install
and run spf.

One more question (I hope I will not bother you any more after this): can
I set up an arbitrarily complex set of ipchains rules in the spf
configuration (i.e. the whole set of rules that set up filtering in my
firewall and that are now run in a script at boot time), including
creating new chains to handle specific situations etc., without perturbing
the way spf works? In other words: on what basis does spf decide to set up
a new ipchains rule or delete an obsolete one? Does it monitor packets
going through the "output" chain, or what? What must I avoid to do, not to
mess with the way it works?

Thanks in advance, bye


Giacomo Mulas <gmulas@ca.astro.it, gmulas@tiscalinet.it, gmulas@eso.org>

OSSERVATORIO  ASTRONOMICO                                                
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel.: +39 070 71180 216     Fax : +39 070 71180 222

"Outside of a dog, a book is a man's best friend
 Inside of a dog, it's too dark to read..."
              (Groucho Marx)

Reply to: