On Wed, Jan 21, 2004 at 08:29:32AM -0500, fbsd_user wrote:
[...]
> As far as the question of using keep-state rules on both the private
> and public interfaces this is cross population of the single
> stateful table and returning packets are being matched to entries in
> the stateful table which d
: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Micheal
Patterson
Sent: Wednesday, January 21, 2004 11:09 AM
To: [EMAIL PROTECTED]
Subject: Re: ipfw/nated stateful rules example
- Original Message -
From: "fbsd_user" <[EMAIL PROTECTED]>
To: "Jonathan Chen&qu
Micheal Patterson wrote:
Whereas what I'm doing "Private LAN Keep-State > NAT > World" is not secure
and would not be accepted by a security professional? How do you figure
that either method is more or less secure than the other? If stateful is
breached in either method, the underlying network is
- Original Message -
From: "fbsd_user" <[EMAIL PROTECTED]>
To: "Jonathan Chen" <[EMAIL PROTECTED]>
Cc: "Micheal Patterson" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Wednesday, January 21, 2004 7:29 AM
Subject: RE: ipfw/nated s
ssage-
From: Jonathan Chen [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 21, 2004 12:20 AM
To: fbsd_user
Cc: Micheal Patterson; [EMAIL PROTECTED]
Subject: Re: ipfw/nated stateful rules example
On Tue, Jan 20, 2004 at 09:18:27PM -0500, fbsd_user wrote:
> Yes you are making it work, but
- Original Message -
From: "Jonathan Chen" <[EMAIL PROTECTED]>
To: "fbsd_user" <[EMAIL PROTECTED]>
Cc: "Micheal Patterson" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Tuesday, January 20, 2004 11:20 PM
Subject: Re: ipfw/nated st
- Original Message -
From: "fbsd_user" <[EMAIL PROTECTED]>
To: "Micheal Patterson" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Tuesday, January 20, 2004 8:18 PM
Subject: RE: ipfw/nated stateful rules example
> You are doing keep-state
On Tue, Jan 20, 2004 at 09:18:27PM -0500, fbsd_user wrote:
> Yes you are making it work, but not work
> correctly. In the true security sense, this is un-secure and
> invalidates the whole purpose of using keep-state rules at all. This
> would never be allowed by an real firewall security professio
48 PM
To: [EMAIL PROTECTED]
Subject: Re: ipfw/nated stateful rules example
- Original Message -
From: "fbsd_user" <[EMAIL PROTECTED]>
To: "Micheal Patterson" <[EMAIL PROTECTED]>; "Ken
Bolingbroke"
<[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECT
- Original Message -
From: "fbsd_user" <[EMAIL PROTECTED]>
To: "Micheal Patterson" <[EMAIL PROTECTED]>; "Ken Bolingbroke"
<[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, January 20, 2004 8:41 AM
Subject: RE: ipfw/nated sta
Alex Yep I missed you previous post, this lists mail has increased
since 5.2 showed up on the FTP sites and I just missed your post in
all volume.
First of all the method of doing keep-state on both the internal Lan
interface and the external is an violation of security protocol
because the packet
fbsd_user wrote:
The conclusion so far is that ipfw1 and ipfw2 using keep-state rules
on the interface facing the public internet with divert/nated does
not work period.
Probably my post hasn't reached you yet. I think you are mistaken if you mean
that keep-state rules cannot be securely used i
IL PROTECTED]
Subject: Re: ipfw/nated stateful rules example
- Original Message -
From: "Ken Bolingbroke" <[EMAIL PROTECTED]>
To: "fbsd_user" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, January 19, 2004 10:28 PM
Subject: RE: ipfw/nated st
Ken Bolingbroke wrote:
I just jumped in the middle here, so I may be out of context.
But, stateful rules don't play nice with NAT.
You're quite right, they don't play nice at all.
[EMAIL PROTECTED] wrote:
I disagree with you that the /etc/rc.firewall is the best example.
It's really a good exampl
- Original Message -
From: "Ken Bolingbroke" <[EMAIL PROTECTED]>
To: "fbsd_user" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, January 19, 2004 10:28 PM
Subject: RE: ipfw/nated stateful rules example
>
> On Mon, 19 Jan 2004, f
On Mon, 19 Jan 2004, fbsd_user wrote:
> That's a play on words. And still does not prove stateful rules work on
> the interface facing the public internet. There is no documentation that
> says keep-state and limit only works on the interface facing the private
> Lan network. And the implied mean
o any
End of IPFW rules file
###
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Lowell
Gilbert
Sent: Monday, January 19, 2004 8:14 PM
To: [EMAIL PROTECTED]
Subject: Re: ipfw/nated stateful rules example
"
"fbsd_user" <[EMAIL PROTECTED]> writes:
> Sorry but the rule set you posted is doing 'keep-state' on the lan
> interface and not the interface facing the public internet. All the
> rule statements processing against the public interface are
> stateless. Doing stateful testing on the private lan i
;
> Was hoping that the ipfw2 rewrite would have fixed this problem.
>
>
>
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Thomas T.
> Veldhouse
> Sent: Monday, January 19, 2004 1:41 PM
> To: [EMAIL PROTECTE
hoping that the ipfw2 rewrite would have fixed this problem.
>
>
>
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Thomas T.
> Veldhouse
> Sent: Monday, January 19, 2004 1:41 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED] ORG
> Subj
]
[mailto:[EMAIL PROTECTED] Behalf Of Thomas T.
Veldhouse
Sent: Monday, January 19, 2004 1:41 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED] ORG
Subject: Re: ipfw/nated stateful rules example
fbsd_user wrote:
> Friends
> In both 4.9 and 5.2 I can not get an rules set to function that
only
> uses
fbsd_user wrote:
> Friends
> In both 4.9 and 5.2 I can not get an rules set to function that only
> uses keep-state' rules for outbound and inbound selection control
> and the divert rule.
>
> Does anybody have an rules set they can share with me as an sample
> for me to see.
>
> Thanks
>
The best
22 matches
Mail list logo
