Hi Remi,
Rémi Denis-Courmont wrote:
On Wed, 24 Sep 2008 11:23:28 -0400, Suresh Krishnan
<[EMAIL PROTECTED]> wrote:
1) Inside_Host(Port X)->Outside_Host(Port Y) SYN=1,ACK=0
2) Outside_Host(Port Y)->Inside Host(Port X) SYN=1,ACK=1
3) Inside_Host(Port X)->Outside_Host(Port Y) SYN=0,ACK=1
...
99) Outside_Host(Port Y)->Inside Host(Port X) SYN=0,ACK=1
(Fragment: OH(Port Z)->IH(Port 80) SYN=1,ACK=0)
The packet numbered 99) will not be filtered even by a stateful firewall.
But then the dialog is established and a SYN=1 ACK=0 packet in the reverse
direction is not really an issue. In fact some stateful firewalls may even
allow the packet due to optimizations.
But the packet is not destined for the already established ports. This
packet is trying to establish a new incoming http connection. If the
firewall lets it through, there is a problem.
Thanks
Suresh
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
