Hi,
> sloppy
> Uses a sloppy TCP connection tracker that does not check sequence
> numbers at all, which makes insertion and ICMP teardown attacks way
> easier. This is intended to be used in situations where one does
> not see all packets of a connection, e.g. in asymmetric routing
> situations. It cannot be used with modulate state or synproxy
> state.
The "which makes insertion and ICMP teardown attacks way easier." part
sounds scary!
Just tested... if I replace:
pass quick proto { icmp, icmp6 }
with:
pass quick proto { icmp, icmp6 } no state
.. it also works.
I guess this is a more normal behaviour of allowing any ICMP through,
regardless of sate. As opposed to silently dropping incoming traffic
for which there is no matching state.
Is that preferable over 'sloppy'?
> I believe claudio@ has advice for you based on some of his real life
> experience.
So he said he forwards traffic with a no state rule...
So I guess I need to allow outgoing with `no state`, but then
explicitly allow incoming with established,related (some how?) like
you would with iptables on Linux?
Thanks,
Ian
