I don't need no stinking firewall!
Jay Hennigan
jay at west.net
Fri Jan 8 06:55:25 UTC 2010
Nenad Andric wrote:
> On Tue Jan 05, 2010 at 01:04:01PM -0800, Jay Hennigan <jay at west.net> wrote:
>> Or better:
>> - Allow from anywhere port 80 to server port > 1023 established
>
> Adding "established" brings us back to stateful firewall!
Not really. It only looks to see if the ACK or RST bits are set. This
is different from a stateful firewall which memorizes each outbound
packet and checks the return for a match source/destination/sequence.
--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service - http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV
More information about the NANOG
mailing list