[snip]
> > [Ben Nagy wrote]
> > Assuming we're talking about an arbitrary, theoretical NAT
> > box - it handles
> > it fine. My coders were (just) bright enough to realise that
> > the connection
> > should get pulled out of the state table after seeing a FIN
> > from either
> > side. How hard is that?
> >
> Hmm.. Not entierly correct. Not all OS strictly send a FIN
> when closing
> connections.
>
Um, how else would they get closed?
>From RFC 793:
" The clearing of a connection also involves the exchange of segments,
in this case carrying the FIN control flag. "
Maybe what you mean is that not all OSes bother to explicity close all
connections?
In that case NAT boxes are expected to time connections out after certain
durations. It's also a good idea to keep an eye on the total number of open
connections as some DOS methods work that way.
Cheers,
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
