Multiple Firewalls with ipfilter?
Peter Jeremy
peterjeremy at optushome.com.au
Thu Mar 27 11:04:57 PST 2003
On Thu, Mar 27, 2003 at 04:08:23PM +0200, Etienne Ledoux wrote:
>Both master and slave firewalls are exactly the same except for my
>second firewall had to extra rules right at the top:
>
># Allow all established connections
>pass in quick proto tcp all flags A/SA keep state keep frags
>pass out quick proto tcp all flags A/SA keep state keep frags
>#pass in quick proto udp all keep state keep frags
>#pass out quick proto udp all keep state keep frags
This means you've lost all the benefits of stateful packet filtering
(and the above is a fairly big security hole since you're allowing any
connection spoofing attempts to succeed).
This also doesn't address NAT state tables - which is critical for me.
Peter
More information about the freebsd-security
mailing list