On Wed, Jan 24, 2007 at 02:39:42PM -0600, Travers Buda wrote:
> Last time I checked though, clients only talk with the web server on
> port 80. So, the only reason you would want to keep state would be if
> you have a ruleset like block out all (which is generally only usefull
> if you don't trust the users of said machine.) So, just unconditionally
> pass port 80 traffic in both directions.

But then your firewall doesn't protect your webservers from SYN floods and
sequence number guessing attacks.

See "synproxy state" in pf.conf(5)

Reply via email to