src/etc/rc.firewall simple ${fw_pass} tcp from any to any
established
Dan Lukes
dan at obluda.cz
Sat Nov 11 21:18:07 UTC 2006
R. B. Riddick napsal/wrote, On 11/11/06 20:33:
>> Statefull rules can stop the sophisticated intruder, but are often more
>> vulnerable to DoS attacks.
> Hmm... U mean, when someone creates a lot of states?
> At least pf can limit that...
Yes.
"Limit" mean - some packet (connections, states) are denied. The rest
is question - is algorithm smart enough to limit attackers packet but no
legitimate connections (or, at least, try to block attacker and try not
to block legitimate connections). Especially against attacker with full
knowledge of algorithm.
> But here it looks like just the good guys can create a state (from the
> good-network via the public network to the trusted web sites), so that states
> can't hurt, I think...
Yes, in that case you are true.
Dan
--
Dan Lukes SISAL MFF UK
AKA: dan at obluda.cz, dan at freebsd.cz,dan at kolej.mff.cuni.cz
More information about the freebsd-security
mailing list