[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: Re: Stateful rules for web server
From: "Toomas Aas" <toomas.aas () raad ! tartu ! ee>
Date: 2002-10-24 9:05:26
[Download RAW message or body]
Hi!
fde (<fde@mgn.net>) wrote:
> your rule 22 is last rules ?
> (and this rule block all ?)
Yes.
> I think that your rejects are due to 'flags S',
>
> if you do not put this option, that changes ?
I would expect it to, but I don't know how safe I'll be after that.
That's the reason I wrote to the list.
From IPFilter-HOWTO I understood that 'flags S' combined with 'keep
state' is the 'magic bullet' to enable only true incoming connections
and reject FIN scans and such. But there must be some trouble with
that. Whether IPFilter is broken (not very likely) or the TCP stack on
systems that some people use to access my server is broken (there must
be some of those out there) or I'm just not understanding things.
When removing 'flags S' I think that I also need to remove 'keep state'
because then every returning ack packet for the same file transfer
would create new entry in state table, right?
--
Toomas Aas | toomas.aas@raad.tartu.ee | http://www.raad.tartu.ee/~toomas/
* Avoid those abysmally horrible, outrageously repellent exaggerations.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic