--EuxKj2iCbKjpUGkD Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 23, 2004 at 03:17:32PM +0200, Mipam wrote: > Hi, >=20 > When deploying a BSD with IPF in at the network perimeter > and using rules like these: >=20 > pass in .. proto tcp ... keep state(strict) >=20 > it's possible to refuse tcp packets which arrive out of order. > This would increase the difficulty doing blind attack resets and blind > data injection attack, cause then you'd have to "guess" the exact expected > number. Checpoint has a similar feature (is that right?) which is > described here as the answer to the mentioned attacks: >=20 > http://www.checkpoint.com/techsupport/alerts/tcp_dos.html >=20 > Allthough this is nice, there is also the risk of breaking > connection because it's not unlikely that packets arrive out of order. > At least, that's what i think, any thoughts upon this? IMHO, in the world of multihomed ISP's, BGP and multipath routing, no, it is definitely *not* unlikely that packets should arrive out of order. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If I were you, who would be reading this sentence? --EuxKj2iCbKjpUGkD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAiSvG7Ri2jRYZRVMRAr3EAKCY5SzMGjTs0X9SmClNAJctFUG78wCfQImk EBpeR056NKhtVWjG+CE5KaY= =S8zF -----END PGP SIGNATURE----- --EuxKj2iCbKjpUGkD--