OpenBSD Journal
Home : : Add Story : : Archives : : About : : Create Account : : Login :

<< Re: iptables | Up: Re: iptables | Flattened | Expanded | Re: iptables >>

Threshold: Help

  Re: iptables (mod 5/95)
by Alejandro Belluscio ( on Wed Mar 26 16:59:00 2003 (GMT)
  Even though its got a "stateful inspection" it's not a theoretically perfect adherence to the standards. With ICMP and UDP it's the same as PF, but on TCP it doesn't correctly uses the sequence number window. Someone else has written here that there's a patch around. But it's not a default option. In ay case is not a tested as PF.
Regarding the connection tracking, PF might have a fewer modules. But consider protocols that don't work with NAT brain dead (you can't really defend FTP, and the SIP cometee is unforgivable, but surely it was made on purpose).
Besides it has modulationof state and rendomization of IP IDs. This means a real increase in security.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. Some icons from used with permission from Kathleen. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]