--==_Exmh_-445439324P Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: lanceat_private said: > I have not tested that yet, so I cannot confirm nor deny its > validity, however I have heard of this behavior before. Looks like I > have a new challenge to play with :) I tested it some time ago under 3.0b (maybe with some patches added). They might have changed it since then, of course. As someone else has already stated in this thread, when installing a policy the state table is reset. So as not to have all existing connections dropped when this happens, Checkpoint had/have this "feature" that allows ACK packets in. It is only supposed to allow ACK packets in that correspond to the reverse of an outgoing rule. Therefore, if there is nothing allowed out, it's not supposed to allow the ACKs in. If you allow all internal hosts to access the Internet on all ports, it'll allow in most packets. The body gets mangled, but I'm not sure about the sequence numbers. Depending on the response of the internal host the connection will be added to the state table. Steve -- Steve Birnbaum - sbirnat_private (PGP key available) --==_Exmh_-445439324P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: qvX73MR1DUavAvWDixsPEa1/SLxqQ9IR iQEVAwUBN6ex1QNowu66bCy5AQEO5wf/ShCcAjX08OS3loI36/37qmB0M4CP5PVJ Z3b4s+Yke2MvQYgeBp6QBhXeIZp5NIoICXGeqsCtJWo2nrFSURKrNRORXJSaGvD1 wMTo5iF7EY4UOm+hsl98s9aUjetnioI9BLnqr9mamP4fFLsuoSqVaM7aBvzxFwtq IC/9lPrTCk/DOYLzDH2sjifqcJlfSkhz7yBVfLJ5nc2uYHVrU5b/QtHoM51tuKfI M7ZM0+jz5xKsiloZgi0nvdGOXMAaH920q8ssJxLCldg5C2dZnFiTAScFydm9vVpA YdrIpHCQBThvDg+tBEUHru2VJ0545c+3cNa84DmqRv43NFmI8l2XiA== =n6My -----END PGP SIGNATURE----- --==_Exmh_-445439324P--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:55:03 PDT