Re: I don't need no stinking firewall!
Nenad Andric wrote:
On Tue Jan 05, 2010 at 01:04:01PM -0800, Jay Hennigan <jay@west.net> wrote:
Or better: - Allow from anywhere port 80 to server port > 1023 established
Adding "established" brings us back to stateful firewall!
Not really. It only looks to see if the ACK or RST bits are set. This is different from a stateful firewall which memorizes each outbound packet and checks the return for a match source/destination/sequence. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
On Thu, Jan 07, 2010 at 22:55:25PM -0800, Jay Hennigan wrote:
Nenad Andric wrote:
On Tue Jan 05, 2010 at 01:04:01PM -0800, Jay Hennigan <jay@west.net> wrote:
Or better: - Allow from anywhere port 80 to server port > 1023 established
Adding "established" brings us back to stateful firewall!
Not really. It only looks to see if the ACK or RST bits are set. This is different from a stateful firewall which memorizes each outbound packet and checks the return for a match source/destination/sequence.
That's (cisco) reflexive access lists. -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York
participants (2)
-
Henry Yen
-
Jay Hennigan