In some mail from Brett Glass, sie said:
>
> Darren:
>
> Glad to see you are in on this discussion.
>
> The code you use for the "keep state" option in IPFilters might be
> able to recognize that the ACK does not belong to an existing
> connection. Could a fast check be implemented as a rule under
> IPFilters? (If it could, it's probably a one-liner, but I'd need
> to figure out how to write it since I do not deal with IPFilters
> on a regular basis.) If not, it seems as if the framework might
> mostly be in place in your code.
If you're using "flags S keep state" or "flags S/SA keep state",
then as far as I'm aware, having read the code, you are safe.
I'm intrigued to know what the bug is. Reading the code, it is
hard to see how you could make a box fall over using it, unless
there were some serious problems in how random TCP ACK's were
handled.
Darren
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-stable" in the body of the message
