I'm looking around and don't quite get sloppy states.  Looking at the code

isn't quite helping.  Anything else I can read?
--STeve Andre'

like, pf.conf(5)?
     sloppy

           Uses a sloppy TCP connection tracker that does not check sequence

           numbers at all, which makes insertion and ICMP teardown attacks way

           easier.  This is intended to be used in situations where one does

           not see all packets of a connection, e.g. in asymmetric routing

           situations.  Cannot be used with modulate or synproxy state.
comes down to "do not use them".

there are some very special circumstances where they make things

possible that didn't work before, like relayd setups with that direct

server return stuff (where you should run another pf box with real

state tracking in front of the relayd box) or cases where you only see

half of the connection, and there one stillhas to be very careful.
anyone using sloppy statekeeping on regular firewalls deserves more

than a spanking.
--

Henning Brauer, hb@bsws.de, henning@openbsd.org

BS Web Services, http://bsws.de

Full-Service ISP - Secure Hosting, Mail and DNS Services

Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

On Tuesday 10 June 2008 22:42:26 Henning Brauer wrote:
Crud.  I did not look there.  Sorry for the noise,  but perhaps you've

warned some folks and they'll listen.
--STeve Andre'

I also would like some insight on ,

1:) exactly what is sloppy states meant to do

2:) what are some specific instances where we should use sloppy states

3:) what is a case where it would be bad to use sloppy states.
Sam Fourman Jr.

pretty much any.
--

Henning Brauer, hb@bsws.de, henning@openbsd.org

BS Web Services, http://bsws.de

Full-Service ISP - Secure Hosting, Mail and DNS Services

Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam