On Tuesday, Jul 22, 2003, at 06:43 US/Pacific, Henning Brauer wrote:
On Tue, Jul 22, 2003 at 02:55:47AM -0700, Trevor Talbot wrote:Also note that most of your rules are a bit "loose" as far as TCP goes. The upside is that they'll pick up existing connections when you reboot/reconfigure the firewall, but you may want to get more control over which direction connections are initiated from by using "flags S/SA" with all of them. It depends on your situation; this is just a heads up.
I consider this flags filtering stupid.
Well true, if you aren't using modulate state, there isn't much point.
Er, after putting a bit more thought into this .. can't it be used to solicit responses from a host when you might not want responses given (default drop policy)?
...No. I'm confusing a couple different issues; there is no gain from filtering on flags in this context.
(I still have 4 minutes; shall I try for a third reply to myself within an hour?)
