1999-09-27-17:29:53 David Lang:
> If you are setting up a firewall for outbound connections only then Linux
> has a stateful packet filter. If you turn on masquerading (many->1 NAT) the
> system has to track everything to know how to map the ports. As the ports go
> away as connections close (or are idle longer then the allowed time) you end
> up with state being maintained.
It's true, in the formal sense of the word --- and in practice, too. NAT does
theoretically imply a stateful implementation, and Linux's many->1 IP Masq
actually works as a stateful packet filtering setup.
However, to the best of my knowlege there's no way with ipfw or ipchains to
get the stateful connection tracking (so that only return packets of actual
open connections will be allowed back) _without_ the address translation, and
so if you want to use un-NATted addrs on the protected net you can't get SPF.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
