On Tuesday 10 June 2008 22:42:26 Henning Brauer wrote: [snip] > > I'm looking around and don't quite get sloppy states. Looking at the > > code isn't quite helping. Anything else I can read? > > like, pf.conf(5)? > > sloppy > Uses a sloppy TCP connection tracker that does not check > sequence numbers at all, which makes insertion and ICMP teardown attacks > way easier. This is intended to be used in situations where one does not > see all packets of a connection, e.g. in asymmetric routing situations. > Cannot be used with modulate or synproxy state. > > comes down to "do not use them". > there are some very special circumstances where they make things > possible that didn't work before, like relayd setups with that direct > server return stuff (where you should run another pf box with real > state tracking in front of the relayd box) or cases where you only see > half of the connection, and there one stillhas to be very careful. > > anyone using sloppy statekeeping on regular firewalls deserves more > than a spanking.
Crud. I did not look there. Sorry for the noise, but perhaps you've warned some folks and they'll listen. --STeve Andre'
