I don't need no stinking firewall!

Henry Yen henry at AegisInfoSys.com
Mon Jan 11 14:52:05 CST 2010


On Thu, Jan 07, 2010 at 22:55:25PM -0800, Jay Hennigan wrote:
> Nenad Andric wrote:
> > On Tue Jan 05, 2010 at 01:04:01PM -0800, Jay Hennigan <jay at west.net> wrote:
> 
> >> Or better:
> >>     - Allow from anywhere port 80 to server port > 1023 established
> > 
> >  Adding "established" brings us back to stateful firewall!
> 
> Not really.  It only looks to see if the ACK or RST bits are set.  This 
> is different from a stateful firewall which memorizes each outbound 
> packet and checks the return for a match source/destination/sequence.

That's (cisco) reflexive access lists.

-- 
Henry Yen                                       Aegis Information Systems, Inc.
Senior Systems Programmer                       Hicksville, New York




More information about the NANOG mailing list