Re: More spf questions (bug report?)

[Michael Meskes <meskes@debian.org>]

On Wed, Apr 12, 2000 at 09:36:01PM +0200, Giacomo Mulas wrote:
> 5) the transfer lasts long enough for spf to timeout and close the channel 
> for reply packets on the ftp control port

That means not only did the transfer last long, but also you have at least
30 seconds without any packets going out from your site. AFAIK teh client
sends some acks when receiving packets, doesn't it?

> 	A possible cure would be to simply set a static input rule letting 
> through tcp packets with the SYN flag unset. This should be relatively
> safe (and the default behaviour of non-debian spf, if I remember

Yes, that's right.

> correctly), but it would also let through some portscans. Any simple
> solutions?

And yes, that's the problem.

michael
-- 
Michael Meskes                         | Go SF 49ers!
Th.-Heuss-Str. 61, D-41812 Erkelenz    | Go Rhein Fire!
Tel.: (+49) 2431/72651                 | Use Debian GNU/Linux!
Email: Michael@Fam-Meskes.De           | Use PostgreSQL!