Looks like this proposed patch (PR 22065) is still open. I suppose that
means no one has decided whether it is useful or not, or (far more likely)
folks are extremely busy doing other fun and useful stuff for FreeBSD.
The patch in the PR is still mostly valid for FreeBSD 4.2-STABLE with a few
The recent FreeBSD advisory regarding IP fragment denial-of-service
attacks didn't mention whether or not an IP filter (ipfw or ipf) that
drops all fragments is an adequate temporary work-around or not.
Does anyone who is familiar with the problem and attack know if something
like the followin
Sebastien Petit ([EMAIL PROTECTED]) was heard to say:
>I found your patches for 5.0-CURRENT, I will update it for 4.4 and 4.5,
>thank you Crist.
>Will this patch be commited in 5.0-RELEASE or perhaps 4.6 ? I think
>this is a good functionnality imho.
>
>--
>Sebastien Petit
>[EMAIL PROTECTED]
>Th
I recently was heard to elocute:
>Memory wise, the patches only increase memory use in the dynamic rules (a
>single unsigned short), using a union to store the information in the main
>ruleset since for keep-state rules the union in question was not in use (or
>so I believe - no one has told me
I use stateful rules and natd together without any trouble. You just have to
think through VERY carefully exactly what is happening to each and every
packet during it's journey and write your rules accordingly.
Let's look at your example ruleset, Michael:
Michael Sierchio ([EMAIL PROTECTED])
"Rogier R. Mulhuijzen" ([EMAIL PROTECTED]) was heard to say:
>>>the reply was that keep-state and natd are very hard to use
>>>together, and besides it is rather useless because natd is stateful
>>>by itself.
>>natd is stateful, but provides no protection for inbound IP traffic
>>that is destined
On Friday 15 February 2002 05:00 pm, Michael Sierchio <[EMAIL PROTECTED]>
wrote:
> Aaron D. Gifford wrote:
> > When it hits check-state, while it DOES match the "X.Y.Z.23 1549<->
> > X.Y.Z.44 22" dynamic rule in principal, it FAILS to match because the
>
On Friday 15 February 2002 06:15 pm, I was heard to blurt out without
thinking:
> default:
> if (q->state == TH_SYN | TH_ACK)
> /*
> * Both forward SYN and SYN+ACK packets have been seen,
> * without a reverse SYN+ACK packet in between, due to a
> * buggy rule set, or bogus t
Andrew ([EMAIL PROTECTED]) wrote:
>Hi,
>
>I have a Linksys WMP11 802.11b card running in hostap mode. Every now
>and then my wireless network dissappears. If I ssh into the box over a
>different interface everything looks OK. To get things going I run
>ifconfig wi0 down. The whole machines seems to
