mouss wrote:
>
> That's the "keep state" of ip filter, and as Carson says, every stateful
> filter handles this.
>
> The difference with TCP is that a malicious user can inject packets
I'm sure you meant to say, the difference with UDP is...
> if he manages to send'em while you're waiting for a reply. Unlike TCP,
> UDP provides no state nor sequence numbers. so one can forge
> "replies" easily. This is possible even with TCP in the case of implementations
> that incompletely handle the TCP state and/or sequence numbers. and it
> seems such impementations exist:)
>
> once again, proxies are the way since as applications, they manage the state
> completely, and having replies get back to the FW allows more control than when
> they go to "normal" hosts. Note that bind is a proxy!
-paul
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
