Women in Technology

Hear us Roar


Article:
  Exploring the Mac OS X Firewall
Subject:   Slight error
Date:   2005-03-17 01:01:12
From:   peterhickman
Response to: Slight error

You are correct, I am using the term 'state-full' incorrectly here. What I wanted to get across was that ipfw did have a memory of previous connections and could recognise a packet as belonging to an already established / permitted connection.


Having said that 'state-full' does have a technical meaning in regards to firewalls an missusing it isn't going to help anybody.


Thanks again for the correction.
Full Threads Oldest First

Showing messages 1 through 1 of 1.

  • Slight error
    2006-02-04 15:51:27  sumbach [View]

    This still isn't quite right. Using your rules, ipfw doesn't have any memory at all--it's using the TCP flags to determine whether the connection is established or not.

    A stateful ipfw ruleset will always contain at least one rule with the 'check-state' action and at least one rule with the 'keep-state' option. ipfw's "memory" is in the form of dynamic rules.

Recommended for You
 
Sign up today to receive special discounts,
product alerts, and news from O'Reilly.
Privacy Policy >
View Sample Newsletter >