Vulnerability Development mailing list archives
Re: iptables 'syn but not new' packets
From: "Alex Butcher (vuln-dev)" <vulndev () cocoa demon co uk>
Date: Tue, 11 Dec 2001 23:09:57 +0000 (GMT)
On Tue, 11 Dec 2001, Blue Boar wrote:
Firewall-1 has had this feature for some time. I read recently that OpenBSD's new PF firewall can do this. This is why I allowed the post.. I suspect there is some fun to be had with this feature, in various implementations.
cf. Filling up Firewall-1's state table by ACK scanning a host behind one that's partially or fully exposed. Actually, I believe that a lot of the "smart" functionality of FW-1 regarding "known" connections has gone in recent versions because it was causing too many problems. I could well be wrong on this point though, as I haven't worked with FW-1 on a day-to-day basis for a little while... :)
BB
Best Regards, Alex. -- Alex Butcher Brainbench MVP for Internet Security: www.brainbench.com Berkshire, UK Is *your* company hiring UNIX/Security/Pen. testing folks? PGP/GnuPG ID:0x271fd950 http://www.cocoa.demon.co.uk/cv/
Current thread:
- iptables 'syn but not new' packets Leonardo Rodrigues (Dec 11)
- Re: iptables 'syn but not new' packets Blue Boar (Dec 11)
- Re: iptables 'syn but not new' packets Alex Butcher (vuln-dev) (Dec 12)
- Re: iptables 'syn but not new' packets Leonardo Rodrigues (Dec 13)
- Re: iptables 'syn but not new' packets Cedric Blancher (Dec 14)
- <Possible follow-ups>
- Re: iptables 'syn but not new' packets Leonardo Rodrigues (Dec 13)
- Re: iptables 'syn but not new' packets Blue Boar (Dec 11)