-Original Message-
From: Mikael Olsson [mailto:[EMAIL PROTECTED]]
Sent: Friday, 28 July 2000 9:52 PM
To: Ben Nagy
Cc: 'Bernd Eckenfels'; [EMAIL PROTECTED]
Subject: Re: cisco Established keyword
Ben Nagy wrote:
[stuff]
And Mike wrote:
I hope you realize that it looks
On Thu, Jul 27, 2000 at 06:59:22AM -0400, Chris Brenton wrote:
The attacker also needs to know the Window of time when the mail will be
transferred between the two hosts. The size of this window will vary
depending on the mail server. For example my mail server completes
connects (on average)
On Wed, Jul 26, 2000 at 03:27:31PM -0400, Chris Brenton wrote:
Patrick Darden wrote:
Ben, we disagree on our definition of stateful. RACLs do not store
session information (e.g. tcp sequence numbers),
If this was true than most stateful packet filters would not be. Just
did a dump on
-Original Message-
From: Bernd Eckenfels [mailto:[EMAIL PROTECTED]]
Sent: Friday, 28 July 2000 4:38 PM
To: Chris Brenton
Cc: Patrick Darden; Ben Nagy; [EMAIL PROTECTED]
Subject: Re: cisco Established keyword
On Wed, Jul 26, 2000 at 03:27:31PM -0400, Chris Brenton wrote
Bernd Eckenfels wrote:
How can Fw1 reconstruct texts over IP Boundaries if they dont keep track of
the Sequence number? Does this mean that the statefull inspection is not
only limited by goofy inspection scripts (asume the PORT command at the
start of the IP PAcket) but also by the
Ben Nagy wrote:
Assuming that the packets make it past the first post, the _data_ in those
packets gets handed off to userspace for further inspection. For this to
happen, the FW TCP/IP stack needs to do all the normal TCP/IP stack things -
reassembly, retransmission, reordering blah blah
On Wed, Jul 26, 2000 at 03:27:31PM -0400, Chris Brenton wrote:
Patrick Darden wrote:
Ben, we disagree on our definition of stateful. RACLs do not store
session information (e.g. tcp sequence numbers),
If this was true than most stateful packet filters would not be. Just
did a dump on
"Juergen P. Meier" wrote:
fw-1 does not store seq numbers, therefor it can easily be fooled
to believe that malicious packets are part of the connection (see below)
Humm, so if this is so "easy" why is it not a wide spread problem?
Theory and practice and all of that. I've banged a few holes
"Established" is not stateful in any sense of the word. It
was an early
kludge that was followed by reflexive access lists, another kludge.
As are firewalls in general (not meant to diminish their value)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the
On Tue, 25 Jul 2000, Ben Nagy wrote:
Personally, I trust reflexive access lists more than CBAC.
The best tools are the tools you know best.
Reflexive access lists are _not_ a kludge - on the contrary, they work in
the traditional manner for a stateful packet filter. When a new
-Original Message-
From: Patrick Darden [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 26 July 2000 4:58 AM
To: Ben Nagy
Cc: [EMAIL PROTECTED]
Subject: RE: cisco Established keyword
On Tue, 25 Jul 2000, Ben Nagy wrote:
[snip]
Reflexive access lists are _not_ a kludge
Ben Nagy wrote:
I'm sorry, but that's just completely false. Reflexive ACLs are stateful.
Here here! You beat me to this! ;)
This is how they work:
1. A packet leaves an interface with 'reflect' in an ACL
2. An entry is written into a dynamic ACL (Call this a STATE TABLE) with the
12 matches
Mail list logo