On Fri, 21 Mar 2014 13:01:25 -0700, Ronald F. Guilmette wrote:
In message 20140322000445.c31...@sola.nimnet.asn.au,
Ian Smith smi...@nimnet.asn.au wrote:
As assorted experts have suggested, you need a stateful rule. It's
really not that hard; if you _only_ needed to protect ntp on
At 02:34 AM 3/22/2014, Ian Smith wrote:
In that specific ruleset - for one specific purpose, remember - no. In
general yes; in a ruleset containing other rules, check-state should be
placed where you want packets tested against all active dynamic rules.
This is correct. And that's awkward,
On Sat, 22 Mar 2014 08:48:40 -0600
Brett Glass wrote:
This is correct. And that's awkward, because you might not want all of
these checks in one place. Also, if there are many dynamic rules this
will slow traffic down quite a bit.
It should be the other way around. Once a flow has been
In message 45158.1395348...@server1.tristatelogic.com, Ronald F. Guilmette
writes:
In message 201403202028.oaa01...@mail.lariat.net,
Brett Glass br...@lariat.org wrote:
...
And the need to do so is becoming more urgent. Just over the past 24 hours,
I am seeing attempted attacks on our
On Thu, 20 Mar 2014 13:41:06 -0700, Ronald F. Guilmette wrote:
[..]
I dearly hope that someone on this list who does in fact have commit privs
will jump on this Right Away. I'm not persuaded that running a perfectly
configured ipfw... statefully, no less... should be an absolute prerequsite
In message 20140321122701.ac6d411a9...@rock.dv.isc.org,
Mark Andrews ma...@isc.org wrote:
In message 45158.1395348...@server1.tristatelogic.com, Ronald F. Guilmette
writes:
I'm no expert, but I'll go out on a limb here anyway and say that the choice
to make NTP outbound queries always use
In message 20140322000445.c31...@sola.nimnet.asn.au,
Ian Smith smi...@nimnet.asn.au wrote:
As assorted experts have suggested, you need a stateful rule. It's
really not that hard; if you _only_ needed to protect ntp on udp:
kldload ipfw add 65000 allow ip from any to any# load null fw
In message 201403202028.oaa01...@mail.lariat.net,
Brett Glass br...@lariat.org wrote:
...
And the need to do so is becoming more urgent. Just over the past 24 hours,
I am seeing attempted attacks on our servers in which the forged packets
have source port 123. Obviously, they're counting on