On Monday 01 March 2004 22:22, Henning Brauer wrote:
> the only place to solve this is obviously writing a proxy.
> wether that is in kernel or not doesn't change a shit.
> well, except for the tiny detail that a security problem in your
> userland proxy doesn't give the attacker remote root... and it easier
> to write too.
Henning, I don't understood if you're talking about the same thing I
proposed...
I don't want any proxy or application level software in the kernel.
I said that PF could support an extension of keep state and I called it permit
state, because it permits traffic in the opposite direction (from server to
client) until the state created is in the table.
The only security problem is related to application that binds on the client.
In fact the server could "talk" with client...
However this can be easily solved with the help of tagging.
Should I post a step by step example ?
Ed
