home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.protocols.tcp-ip
- Path: sparky!uunet!rosevax!medtron!rh0083b
- From: rh0083b@medtronic.COM (Roger-Hunen)
- Subject: Re: Stopping only incoming TCP connections (was: Firewall usage)
- Message-ID: <1992Jul31.074154.4081@medtron.medtronic.com>
- Sender: news@medtron.medtronic.com (USENET News Administration)
- Nntp-Posting-Host: tin.pace.medtronic.com
- Organization: Medtronic, Inc.
- References: <17011@ulysses.att.com> <1992Jul28.202211.14029@shearson.com> <chrisc.21.712446813@ramrod.lmt.mn.org>
- Date: Fri, 31 Jul 1992 07:41:54 GMT
- Lines: 17
-
- In article <chrisc.21.712446813@ramrod.lmt.mn.org> chrisc@ramrod.lmt.mn.org (Chris Cox) writes:
- >>I was under the impression that if you filter all the SYN packets from
- >>one direction that aren't SYN ACKs, bingo, you can't initiate any
- >>incoming TCP connections. Nice and stateless. The only flaw is that
- >>implementations that seperately ACK the initiating SYN and then send
- >>their own SYN won't be able to connect, but they are rare. Connections
- >
- >That would eliminate your users from starting ftp data sessions (wouldn't
- >it?).
-
- So what you really want is application level proxies in the firewall for
- TELNET, FTP, MAIL etc. Of course this defaults to the 'everything is
- forbidden unless permitted' approach.
-
- Regards,
- -Roger
-
-