Re: ipchains X ipfw compatibility

To: Tim Haynes <piglet@glutinous.custard.org>
Cc: "Ivan J. Varzinczak" <ivan@inf.ufpr.br>, debian-firewall@lists.debian.org, debian-security@lists.debian.org
Subject: Re: ipchains X ipfw compatibility
From: Nick Phillips <nwp@checkaprice.com>
Date: Thu, 27 Apr 2000 12:42:39 +0000
Message-id: <[🔎] 390835BF.B7A249A8@checkaprice.com>
References: <[🔎] 14599.10074.555973.665301@animal.inf.ufpr.br> <[🔎] Pine.LNX.4.21.0004261242520.16444-100000@roma.phy.duke.edu> <[🔎] 20000426180914.C1400@glutinous.custard.org>

Tim Haynes wrote:

> Yup, that's the bunny. New incoming connections are characterised exactly by
> having the SYN flag set, continuations of already-established connections
> don't have it, so something like
>         ipchains -I input -p tcp ! -y -j ACCEPT
> should do the trick. You might feel happier expressly putting
>         -s 0.0.0.0/0.0.0.0
>         -d 0.0.0.0/0.0.0.0
> in there as well to get the 'any's across.

This *is* the nearest equivalent, but is massively less functional than
the equivalent
using, for example, ipfilter - ipchains does not keep track of
established connections
and so cannot actually check that the packet is part of an established
connection, just
that it's not the start of a new one. Which is a massive difference.

Nick

Reply to:

References:
- ipchains X ipfw compatibility
  - From: "Ivan J. Varzinczak" <ivan@inf.ufpr.br>
- Re: ipchains X ipfw compatibility
  - From: Seth Vidal <skvidal@phy.duke.edu>
- Re: ipchains X ipfw compatibility
  - From: Tim Haynes <piglet@glutinous.custard.org>

Prev by Date: Re: Checksums on ftp
Next by Date: Re: Checksums on ftp
Previous by thread: Re: ipchains X ipfw compatibility
Next by thread: Re: ipchains X ipfw compatibility
Index(es):
- Date
- Thread