[121019] in North American Network Operators' Group
Re: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (Jay Hennigan)
Fri Jan 8 01:56:14 2010
Date: Thu, 07 Jan 2010 22:55:25 -0800
From: Jay Hennigan <jay@west.net>
To: nanog@nanog.org
In-Reply-To: <20100107142514.GA23323@mail.zucchetti.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Nenad Andric wrote:
> On Tue Jan 05, 2010 at 01:04:01PM -0800, Jay Hennigan <jay@west.net> wrote:
>> Or better:
>> - Allow from anywhere port 80 to server port > 1023 established
>
> Adding "established" brings us back to stateful firewall!
Not really. It only looks to see if the ACK or RST bits are set. This
is different from a stateful firewall which memorizes each outbound
packet and checks the return for a match source/destination/sequence.
--
Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net
Impulse Internet Service - http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV
