Transparent firewall & Dynamic rules
Luigi Rizzo
rizzo at iet.unipi.it
Sat Sep 12 14:04:20 UTC 2009
On Sat, Sep 12, 2009 at 09:51:04PM +0800, Cypher Wu wrote:
> It's seems fine, but I still have some questions:
> 1. The endpoint will response to the keepalive TCP segment and the
> destination will be the other endpoint, will IPFW just let it though
> like the usual IP packet, or try to figure it out and drop it?
it will let the packet through.
> 2. If I have two computer I can make sure both end are not using
> keepalive, then I can still figure out there is a firewall between
> these two computers?
you can disable the keepalives on the firewall (if there is no
sysctl for it, it's a trivial code change anyways), and you
can set a large timeout.
but by definition the presence of a firewall _is_ detectable,
unless it blocks nothing so it is just a logger and not a firewall.
'transparent' referred to a middlebox means
"it does not require endpoint reconfiguration", not that
it is undetectable.
More information about the freebsd-ipfw
mailing list