On Thu, Oct 31, 2002 at 12:06:26AM +0100, Henning Brauer wrote: > there is, you just wrote it: > > > A lookup in an empty list/tree would of course equal a single pointer > > comparison > > ;-)
Yes, I'll go count the number of instructions that occur per packet already, it's Halloween :) > I question that it can be done secure at all. We'd not allow to insert completely blank state templates, of course. I think allowing only to leave out the source port would cover all useful cases, and the packet would have to match both addresses and the destination port to complete the state. And an attacker that spoofs at the right time might complete the state, but he doesn't gain much, as he can't complete the TCP handshake. > people using ftp-proxy in front of a ftp-server which is not NATed make a > fault. it's not needed. There are more uses than just ftp-proxy. In fact, I don't care all that much about servers wanting to log the real client ip, but other translations have interesting potential :) Daniel
