[121148] in North American Network Operators' Group
Re: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (Henry Yen)
Mon Jan 11 15:53:10 2010
Date: Mon, 11 Jan 2010 15:52:05 -0500
From: Henry Yen <henry@AegisInfoSys.com>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <4B46D6DD.6060901@west.net>;
from Jay Hennigan on Thu, Jan 07, 2010 at 22:55:25PM -0800
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Jan 07, 2010 at 22:55:25PM -0800, Jay Hennigan wrote:
> Nenad Andric wrote:
> > On Tue Jan 05, 2010 at 01:04:01PM -0800, Jay Hennigan <jay@west.net> wrote:
>
> >> Or better:
> >> - Allow from anywhere port 80 to server port > 1023 established
> >
> > Adding "established" brings us back to stateful firewall!
>
> Not really. It only looks to see if the ACK or RST bits are set. This
> is different from a stateful firewall which memorizes each outbound
> packet and checks the return for a match source/destination/sequence.
That's (cisco) reflexive access lists.
--
Henry Yen Aegis Information Systems, Inc.
Senior Systems Programmer Hicksville, New York
