On Do, 2006-12-21 at 08:57 +0100, Carl-Daniel Hailfinger wrote: > Grant Taylor wrote: > > I ran across an interesting article [...] > This is wrong on so many levels. Please reread the article. Then read > the source code of your favourite firewalling system. All of those > "attacks" require cooperation from your side. And if you (or someone > using the computer you try to protect) are actively cooperating with > the attacker, "fixing" the firewall should be the least important of > your problems. Very true... the described method isn't an "attack", it's just a way to facilitate connections between two NATed partners. > I'm still seeing people who absolutely want to deploy the iptables > UNCLEAN match to "make their network more secure". This makes me curious: wouldn't UNCLEAN improve security? Afair, the main argument against UNCLEAN (and grounds for its removal) was that it broke ECN at some time in the past, and that "something like this could happen again". Personally, I like the idea of rejecting anything that violates the existing standards. Regards, Torsten
