> -----Original Message-----
> From: Ben Nagy [mailto:[EMAIL PROTECTED]]
> Sent: den 27 september 2000 08:55
> To: 'Jesper Wall'
> Cc: [EMAIL PROTECTED]
> Subject: RE: LinkSys 4-Port Router
>
>
> [snip]
> > > [Ben Nagy wrote]
> > > Assuming we're talking about an arbitrary, theoretical NAT
> > > box - it handles
> > > it fine. My coders were (just) bright enough to realise that
> > > the connection
> > > should get pulled out of the state table after seeing a FIN
> > > from either
> > > side. How hard is that?
> > >
> > Hmm.. Not entierly correct. Not all OS strictly send a FIN
> > when closing
> > connections.
> >
>
> Um, how else would they get closed?
>
> From RFC 793:
> " The clearing of a connection also involves the exchange of segments,
> in this case carrying the FIN control flag. "
>
> Maybe what you mean is that not all OSes bother to explicity close all
> connections?
>
Thats what i meant. I know in fact that M$ is one of the bad guys in this
case.
>
> In that case NAT boxes are expected to time connections out
> after certain
> durations. It's also a good idea to keep an eye on the total
> number of open
> connections as some DOS methods work that way.
Cheers!
//Jesper
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
