[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: spf and masquerading



On Fri, Mar 31, 2000 at 06:02:16PM +0200, Christian Hammers wrote:
> a) Statefull packet filtering would be quite senseless
>    if I applied it to a masquerading server because that would not allow
>    connections to hosts other than the firewall (exept I explicit programm
>    them). Right or wrong?

Wrong. spf does monitor the outgoing packets and install a backward rule.
It does not matter if the router is masquearding.

Or did I misunderstood you?

> b) On a normal host, spf is only good to avoid opening all ports above
>    1023, right? But in case I deny connections (SYN-Flag) to those ports,
>    will it bring me any advantage?

Sorry, I do not understand that question. Where's the connection between spf
and the user port range. With ipchains you can only stop packets with SYN
flag set. How about packets with SYN flag unset? And how about udp and icmp?

Also I wonder why spf cannot help you with port < 1024.

Michael
-- 
Michael Meskes                         | Go SF 49ers!
Th.-Heuss-Str. 61, D-41812 Erkelenz    | Go Rhein Fire!
Tel.: (+49) 2431/72651                 | Use Debian GNU/Linux!
Email: Michael@Fam-Meskes.De           | Use PostgreSQL!


Reply to: