On Wed, Oct 30, 2002 at 03:38:37PM -0300, Helio Alexandre Lopes Loureiro wrote: > A stateful firewall is not designed to keep a "pass rule" over all > interfaces?
no. in practice the state is hammered to the interface, which is a very very very good thing (I rely on it for the firewalls in front of the server networks here whoch has tons of vlan interfaces. on the external interface I do spoof protection - out: src must be from an internal net, in: dest must be from an internal net -, on each vlan interface there are rules for incoming and outgoing policy, and a packet crossing vlans must go through the outbound policy on the source vlan interface and through the inbound policy on the destination vlan interface, where inbound and outbound is from teh network view and actually reversed when you look at the interface). well, they are not really hammered to the interface, but in practice that's the result. > I'm not a OpenBSD expertise, but the same rules under Iptables iptables isn't really statefull. it doesn't do sequence number checking.
