On Tue, May 16, 2006 10:29 am, David Malone wrote: >> Interesting - thanks for the pointer. Unless every stack DTRT we can't >> use the flow_id, though - or we break otherwise legal connections. In >> the >> given case we would open a state with SYN+flow_id and got a reply >> SYNACK+0 >> which wouldn't hash the same as the SYN we sent out. No matching state, >> no connection. > > Indeed - we need to get into the position where almost all stacks > do the right thing before we can use the flow label as a key of any > sort in the firewalling process. If people have noticed problems > with this, I'd be interested in knowing which stacks are incriminated.
The PR has www.sixxs.net:80 as example, which seems to be running "Linux Apache/2.0.55 (Debian)" (according to netcraft). nmap wasn't really able to tell in my testing, but it should be possible to approach somebody at sixxs.net about it - they are very helpful and worried about IPv6. -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "[EMAIL PROTECTED]"
