paul at xciv.org
Tue Jun 19 14:04:56 BST 2001
Richard Smith <rdls at rdls.net> wrote:
> Is there an advantage to using the keep-state/check-state dynamic style
> over the setup/etablished static style of writing ipfw rules?
> Particularly from a security standpoint?
'setup/etablished' style filtering usually only looks at the flags
set on TCP connections, so is somewhat limited.
'keep-state/check-state' style filtering maintains a state table
of data 'flows' (for want of a better word), and tracks (based
on src/dst/port, sequence numbers, etc) streams of packets (both
UDP and TCP) and only allows packets back in that are part of a
flow established from (say within) your network to external hosts.
This is sometimes called stateful inspection and more usually
found on a commercial firewall products, eg. Checkpoint Firewall-1.
More information about the Ukfreebsd