On Thu, Nov 16, 2000 at 02:15:48PM +0100, mouss wrote:
> The difference with TCP is that a malicious user can inject packets
> if he manages to send'em while you're waiting for a reply. Unlike TCP,
> UDP provides no state nor sequence numbers. so one can forge
> "replies" easily.
True, although I would expect that trusting a UDP "keep state" mechanism
would be an improvement over allowing all incoming UDP. :)
On that subject, is it documented somewhere (other than the source code)
how long ipfilter will allow return UDP packets while using "keep
state?" I didn't see it mentioned in the man page or the FAQ.
> This is possible even with TCP in the case of implementations
> that incompletely handle the TCP state and/or sequence numbers. and it
> seems such impementations exist:)
(Hopefully ipfilter and Linux 2.4's netfilter are not in this category?)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
