[13511] in bugtraq
Fwd: Re: Fwd: Re: explanation and code for stream.c issues
daemon@ATHENA.MIT.EDU (Tim Yardley)
Sun Jan 23 19:07:47 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-Id: <4.2.0.58.20000121184941.013beb80@students.uiuc.edu>
Date: Fri, 21 Jan 2000 18:52:54 -0600
Reply-To: Tim Yardley <yardley@UIUC.EDU>
From: Tim Yardley <yardley@UIUC.EDU>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
The rulesets that were suggested by Darren Reed forgot to include the
outgoing connections.
this is the updated rulesets...
block in quick proto tcp from any to any head 100
pass in quick proto tcp from any to any flags S keep state group 100
pass out proto tcp from any to any flags S keep state
pass in all
Brian Kraemer <kraemer@u.washington.edu> pointed this out with the
following paragraph:
:: FYI this ruleset (with no other rules applied) will also effectively block
:: any outgoing TCP sessions initiated from this machine. The machine will
:: send a SYN, and then get blocked because the input rules never saw an
:: incoming SYN to start keeping state. Thus, the ruleset should be revised.
/tmy
-- Diving into infinity my consciousness expands in inverse
proportion to my distance from singularity
+-------- ------- ------ ----- ---- --- -- ------ --------+
| Tim Yardley (yardley@uiuc.edu)
| http://www.students.uiuc.edu/~yardley/
+-------- ------- ------ ----- ---- --- -- ------ --------+
