[EMAIL PROTECTED] wrote
>
> > here I have to insist (if you don't mind).
>
> Feel free. This was an open mailing list, last I checked.. :)
cool. let's jump in boys...
>
> My point was that you can "imitate" a stateful filter by specifying
> flags. Stateful filtering right in the code makes life a bit easier.
> Instead of specifying answers to former connections, you can just
> specify that the ACK bit is set. And voila, you've got a "stateful"
> firewall. You can still specify ports and such. It's just that the
> stateful-ness is being done manually, instead of automagically.
no, you cannot imitate SPF with flag control.
first, flag control is limited to TCP, and cannot be used with UDP.
so you'll need either a stateful filer or a proxy on the FW (bind is ok).
Also, with flag control, you allow "established" TCP packets to go to
a protected host. with SPF, you restrict the list of allowed packets
to those corresponding to packets going the other way and for which
the filter maitains the state.
for example, with the flag control, I can just send you stupid TCP packets
to flood your internal host. yes, this is still possible with SPF, but
I'll have to determine current sessions.
you can certainly use flag control with or without proxies, but Stateful
inspection clearly has an advantage (over stateless filtering, even with
flag control).
regards,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
