On 2008-03-23, Ed Flecko <[EMAIL PROTECTED]> wrote: > > He then shortly thereafter says, "Firewalk even works against > traditional and stateful packet filters, which both just decrement the > TTL by one. However, Firewalk does not work against proxy based > firewalls, because proxies do not forward packets. Instead, a proxy > application absorbs packets on one side of the gateway and creates a > new connection on the other side, destroying all TTL information in > the process. Packet filters actually forward the same packets, after > applying filtering rules,
PF's "scrub" option can help. Or if you want an actual proxy, relayd can do interesting things. Packet filters don't have to decrement TTL, btw. > Statements like this are what started me thinking I'd ask some of you > (who probably know a whole lot more about this than I do :-)) your > opinion about an OpenBSD with Squid. > > It sounds like a powerful combination to me! :-) It adds a lot of complexity. Squid is not a small simple piece of software...
