Jens Rehsack([EMAIL PROTECTED])@2002.05.06 15:04:14 +0000: > "Karsten W. Rohrbach" wrote: > > pass in quick on isp0 proto tcp from any to any port = 80 flags S/SA keep state > > # we want state added when establishing a > > # session, not for every tcp packet that passes > > # this rule > If you read your own statement above you can cut the flags, because all dynamic > rules added "quick" before this rule/line, so this rule is never parsed for > any already matched ...
valid point, my reasoning was wrong (worse: it hurts so bad, that i wonder why nobody else intervened ;-) the reasoning about "why flags S/SA" boils down to the point that no out-of-session packet should be allowed to create a state. session establishment is restricted to SYN/SYN+ACK packets, nothing more. IIRC, the state will just hang there until it times out, but it will be there and use a slot in the state table; ipfilter will not pass a matching packet because of the incomplete session state which is tracked in the state table, anyway. regards, /k -- > Experience is a teacher that gives the examination first and the > lesson afterwards. WebMonster Community Project -- Next Generation Networks GmbH -- All on BSD http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 10x
msg45004/pgp00000.pgp
Description: PGP signature
