On 01/14/2010 06:15:58 PM, Peter Stuge wrote:
> Let's try some more.
>
> Karl O. Pinc wrote:
> > > no; it is because the OpenVPN client creates the same src + dst
> pair
> > > for every connection.
> >
> > Enrico is right. It's in the IP RFC, the 2MSL (twice the maximum
> > segment lifetime) rule. (STD 5 is the right rfc?)
> My point is that a "stateful" firewall should keep more info about
> connections than just a 4-tuple. The firewall that is causing Enrico
> trouble seems to not do this, since it does not recognize a new
> connection if uses the same 4-tuple. To me, that actually sounds like
> the textbook definitition of a _stateless_ firewall. :)
Please read the RFC. A TCP connection should not re-use the 4-tuple
for a limited interval of time after connection close. A corollary,
which is only clear once you understand the purpose of this
restriction, is that a good firewall should interpret violations
of this rule as an attempt to inject data into the closed
TCP connection and should block such traffic.
Note that Microsoft TCP stacks have been known to violate this rule.
This is no excuse; it's an indication that the stack should not
be relied on to perform in a standards compliant fashion.
Karl <k...@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
