On 7/3/06, Craig Silva <[EMAIL PROTECTED]> wrote:
Here's a bit of information on related:
RELATED packets are similar to ESTABLISHED packets, but something is
different. These are packets that are related to an established connection,
but are not part of the connection. So far, the only confirmed use of
RELATED I've seen has to do with FTP and ICMP, and then only in conjunction
with ESTABLISHED for FTP.
Gotcha, I had a suspicion that's what this was about :) For FTP, we
have a helper program (you'll see it on the settings screen for each
interface) that creates the needed rules on the fly for the data
connection. ICMP is considered by PF to be part of state, so an ICMP
port unreachable to a SYN would terminate the state, or an ICMP need
frags in the middle of a flow would get passed so the sender knows it
needs to send smaller packets. These ICMP types are passed ONLY if
the source/dest ip/port pairs in the payload match a valid flow in the
state table (there may even be more checking somewhere, I'm not sure).
We don't have helper apps for irc (although that could be made a
package with tircproxy I think). Any other applications that use
multiple ports that get negotiated on the fly will need a helper app
written for them that understands the protocol in use and creates
rules on the fly.
--Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
