On (2011-08-19 19:03 -0400), Stefan Fouant wrote:
This is the nature of stateless firewall-filters guys... It has been this way
since the beginning and everybody else seems to understand this behavior. I
don't see anybody else screaming that this is a gaping security hole. You do
realize
Hi Saku,
I think we are simply getting the wires crossed. Your original email stated
Trio appears to change this, in inet6 simply doing 'match port X' without
'match next-header tcp|udp' correctly finds port X, regardless of its position
in the frame (you can move the UDP/TCP port position
On (2011-08-18 21:23 -0400), Stefan Fouant wrote:
Trio has nothing to do with this - the behavior when matching on a
port is completely different than using the bit-field match
operators. Even without Trio, if you specify a match on a port
without protocol, it will look in the appropriate
This is the nature of stateless firewall-filters guys... It has been this way
since the beginning and everybody else seems to understand this behavior. I
don't see anybody else screaming that this is a gaping security hole. You do
realize that this is no different than ACLs on Cisco right? If
inconsistency?
I would say gaping security hole. I wonder how many routers out there are
setup to pass any IP packet with ACK bit turned on.
Nick
On Fri, Aug 19, 2011 at 5:50 PM, Stefan Fouant
sfou...@shortestpathfirst.net wrote:
Hi Saku,
'tcp-established' or any of the other TCP bit-field
Martin,
I think the fact that any of the pings are succeeding is accidental.
Based on my initial glance at your firewall filter, you are not permitting ICMP
echo request messages and the final term drop is discarding traffic. I would
therefore, expect all pings to fail completely. The reason
On 8/18/2011 3:18 PM, Saku Ytti wrote:
On (2011-08-18 10:28 -0400), Stefan Fouant wrote:
established. This can cause strange behavior since it's only looking
for it a simple bit match against the TCP ACK or RST fields.
However because you are not tying it specifically to TCP traffic,
any
7 matches
Mail list logo