#Assuming we're talking about an arbitrary, theoretical NAT box - it
handles
#it fine. My coders were (just) bright enough to realise that the
connection
#should get pulled out of the state table after seeing a FIN from either
#side. How hard is that?
What about TCP half close connections? I know it isn't used much but
it is in the RFC. My opinion is that a 'security' device should close a
connection when the client that opened the connection sends a FIN. Does
the Lynksys actually properly close the connection when it sees the first
FIN? If it does not and it just drops the connection out of the state
table then that is poor programming. If you are going to drop connections
out of a state table before you see the entire 4 packet TCP session close
(FIN-> <-ACK <-FIN ACK->) then you should close the other side of the
connection on behalf of the client. I would think that a NAT device would
wait for the entire connection to be closed.
Regards,
Jeffery Gieser
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
