Re: stateful firewall

To: Mike Fedyk <mfedyk@matchmail.com>
Cc: debian-firewall@lists.debian.org
Subject: Re: stateful firewall
From: Daniel Stone <daniel@kabuki.openfridge.net>
Date: 23 Mar 2001 08:39:17 +1100
Message-id: <E14gCni-00047Y-00@piro.kabuki.openfridge.net>
In-reply-to: <20010322105714.N27451@mikef-linux-x86>
References: <20010321162700.A10310@cory-l.petersen-arne.com> <20010322083718.A3688@lion.kingsley.co.za> <20010322105714.N27451@mikef-linux-x86>

On 22 Mar 2001 10:57:14 -0800, Mike Fedyk wrote:
> In a way, 2.2 already had something similar.  Masq+Masq_ftp.

Weeeeellllllllll ... ish ...

> You can even masq only ftp, and get the benifit.  Though, this is a
> workaround, it does help.

Yes, but only if you're doing masquerading. I run quite a tight firewall
on my local machine, which isn't doing masq or nat for anything. I run
ip_conntrack_ftp and ip_conntrack_irc, and this way, I can say "allow
all RELATED connections", so every FTP transfer, every DCC transfer,
will get marked as related, so I can allow everything without needing to
open all my high ports.

See how this is 10,000 times better than: a) ipchains, and b)
statelessness?

:) d

-- 
Daniel Stone
Linux Kernel Developer
daniel@kabuki.openfridge.net

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
G!>CS d s++:- a---- C++ ULS++++$>B P---- L+++>++++ E+(joe)>+++ W++ N->++ !o
K? w++(--) O---- M- V-- PS+++ PE- Y PGP>++ t--- 5-- X- R- tv-(!) b+++ DI+++ 
D+ G e->++ h!(+) r+(%) y? UF++
------END GEEK CODE BLOCK------

Reply to:

References:
- stateful firewall
  - From: Cory Petkovsek <coryp@petersen-arne.com>
- Re: stateful firewall
  - From: Michael Wood <wood@kingsley.co.za>
- Re: stateful firewall
  - From: Mike Fedyk <mfedyk@matchmail.com>

Prev by Date: Re: stateful firewall
Next by Date: Firewall Eval.
Previous by thread: Re: stateful firewall
Next by thread: Re: stateful firewall
Index(es):
- Date
- Thread