[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Darren please clarify - To flags S on outgoing  connections?
From:       "Stephen Gutknecht (ipfilter)" <IML-ipfilter () i405 ! com>
Date:       2001-01-31 19:57:04
[Download RAW message or body]

Darren,

This is reference to a thread from December 15 timeframe.
I too am confused by this.  Are you suggesting that "flags S" would create
more problems then it solves in this case?

Thank you.

  Stephen Gutknecht
  Renton, Washington USA

-----Original Message-----
From: Phil Dibowitz [mailto:webmaster@ipom.com]
Sent: Friday, December 15, 2000 3:59 PM
To: ipfilter@coombs.anu.edu.au
Subject: Re: To `flags S' or not to `flags S': keeping state on outgoing
connections?


Darren Reed wrote:

> In some email I received from Ronald Florence, sie wrote:
> > What are the advantages and disadvantages of keeping state with `flags
> > S' on outgoing connections?  We currently do:
> >
> >
> > pass out quick proto tcp from any port != netbios-ssn to any keep state
keep frags group 2
> > pass out quick proto udp from any port != netbios-ns to any keep state
keep frags group 2
> > pass out quick proto icmp all keep state keep frags group 2
> >
> >
> > I'm guessing if I were to put a `flags S' into the first of those
> > rules, it would save space in the state table.  Any other advantages?
> > Disadvantages?
>
> Disadvantages are you get multiple state table entries when ipfilter can't
> associate a packet with a stream because it is out of window or similar
and
> the end result is it screws up your state tracking.
>
> Darren

Wait... wouldn't that be a a disadvantage of NOT using flags s? because if
you use flags s
wouldn't it just disregard packets that weren't SYN packets? Maybe I'm
misunderstanding
something here.

[prev in list] [next in list] [prev in thread] [next in thread]