From owner-freebsd-questions Mon Jun 17 19: 5:31 2002 Delivered-To: freebsd-questions@freebsd.org Received: from web20605.mail.yahoo.com (web20605.mail.yahoo.com [216.136.226.163]) by hub.freebsd.org (Postfix) with SMTP id A8EA137B415 for ; Mon, 17 Jun 2002 19:05:26 -0700 (PDT) Message-ID: <20020618020521.55227.qmail@web20605.mail.yahoo.com> Received: from [199.106.223.32] by web20605.mail.yahoo.com via HTTP; Mon, 17 Jun 2002 19:05:21 PDT Date: Mon, 17 Jun 2002 19:05:21 -0700 (PDT) From: Jon Reply-To: cykyc@yahoo.com Subject: RE: ipfw: stateful rules & UDP/ICMP To: barbish@a1poweruser.com, Ilia Chipitsine , questions@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --- Joe & Fhe Barbish wrote: > ICMP traffic can only be denied or allowed using stateless rules, > advanced > stateful > check-state/keep-state rules have no special effect on ICMP > packets. Laptop at hotel (FreeBSD 4.6-RC FreeBSD #17: Wed Jun 12) previously connected to laptop running w2k w/ a cross-over. root@localhost:~ 135 # ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from 0.0.0.0/8 to any via ep0 00500 deny ip from 169.254.0.0/16 to any via ep0 00600 deny ip from 224.0.0.0/4 to any via ep0 00700 deny ip from 240.0.0.0/4 to any via ep0 01000 allow tcp from me to any keep-state out xmit ep0 01100 allow udp from me to any keep-state out xmit ep0 01120 allow log icmp from me to any keep-state out xmit ep0 01170 deny udp from any 138 to any 138 via ep0 01171 deny udp from any 137 to any 137 via ep0 01200 deny log ip from any to any 65535 allow ip from any to any fbsd: inet 172.30.31.32/16 w2k: inet 172.30.31.33/16 ----- jon@localhost:~ 102 > ping -c 2 172.30.31.33 PING 172.30.31.33 (172.30.31.33): 56 data bytes 64 bytes from 172.30.31.33: icmp_seq=0 ttl=128 time=0.872 ms ... root@localhost:~ 136 # ipfw -d list ... ## Dynamic rules: 01120 3 252 (T 5, slot 1) <-> icmp, 172.30.31.32 0<-> 172.30.31.33 0 root@localhost:~ 137 # tail /var/log/security ... Jun 17 20:34:42 localhost /kernel: ipfw: 1120 Accept ICMP:8.0 172.30.31.32 172.30.31.33 out via ep0 Jun 17 20:34:42 localhost /kernel: ipfw: 1120 Accept ICMP:0.0 172.30.31.33 172.30.31.32 in via ep0 So why did that last Accept make it in? Where did I have a rule setup to allow ICMP type 0.0 in? I didn't: rule 1120 caught it. I waited a couple minutes and then ran a ping from the w2k box (no cut & paste, but I ran `ping 172.30.31.32`) w/o running anything from the fbsd box, and /var/log/security caught the results (rule 1200, deny all) Jun 17 20:40:37 localhost /kernel: ipfw: 1200 Deny ICMP:8.0 172.30.31.33 172.30.31.32 in via ep0 Jun 17 20:40:41 localhost last message repeated 3 times And now I ran a ping from the fbsd box to the w2k box, and then from the w2k box to the fbsd box quickly (1 ping each way): Jun 17 20:42:44 localhost /kernel: ipfw: 1120 Accept ICMP:8.0 172.30.31.32 172.30.31.33 out via ep0 Jun 17 20:42:45 localhost /kernel: ipfw: 1120 Accept ICMP:0.0 172.30.31.33 172.30.31.32 in via ep0 Jun 17 20:42:46 localhost /kernel: ipfw: 1120 Accept ICMP:8.0 172.30.31.33 172.30.31.32 in via ep0 Jun 17 20:42:46 localhost /kernel: ipfw: 1120 Accept ICMP:0.0 172.30.31.32 172.30.31.33 out via ep0 Pragmatically, it seems your statement is false. ICMP does respond to the keep-state function, pretty much like the documentation explained in sys/netinet/ip_fw.c: src_ip, src_port, dst_ip, dst_port, proto. While it does function w/ keep-state, it may not be the intended results. I don't want to say this is a bug or feature, since both the source and the manpage refer to ports, whereas ICMP uses types and codes. Take care, Jon __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message