[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Stateful rules for web server
From:       "Toomas Aas" <toomas.aas () raad ! tartu ! ee>
Date:       2002-10-24 9:05:26
[Download RAW message or body]

Hi!

fde (<fde@mgn.net>) wrote:

> your rule 22 is last rules ?
> (and this rule block all ?)

Yes.

> I think that your rejects are due to 'flags S',
> 
> if you do not put this option, that changes ?

I would expect it to, but I don't know how safe I'll be after that. 
That's the reason I wrote to the list.

From IPFilter-HOWTO I understood that 'flags S' combined with 'keep 
state' is the 'magic bullet' to enable only true incoming connections 
and reject FIN scans and such. But there must be some trouble with 
that. Whether IPFilter is broken (not very likely) or the TCP stack on 
systems that some people use to access my server is broken (there must 
be some of those out there) or I'm just not understanding things.

When removing 'flags S' I think that I also need to remove 'keep state' 
because then every returning ack packet for the same file transfer 
would create new entry in state table, right?
--
Toomas Aas | toomas.aas@raad.tartu.ee | http://www.raad.tartu.ee/~toomas/
* Avoid those abysmally horrible, outrageously repellent exaggerations.

[prev in list] [next in list] [prev in thread] [next in thread]