Date: Sun, 14 Oct 2001 18:07:56 +0200 From: devet@devet.org (Arjan de Vet) To: stable@freebsd.org Subject: Re: IPFW or IPFILTER? Message-ID: <20011014180756.A17546@adv.devet.org> In-Reply-To: <20011012184741.D6274@blossom.cjclark.org> References: <Pine.GSO.4.21.0110121216390.27495-100000@sun10pg2.wam.umd.edu> <20011012185458.K69352-100000@darkwing.turbo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
In article <20011012184741.D6274@blossom.cjclark.org> you write: >"Keeping state" on UDP (a stateless protocol, BTW) is pretty easy. You >see a packet, > > <src_ip>:<src_port> -> <dst_ip>:<dst_port> > >So you then allow, > > <dst_ip>:<dst_port> -> <src_ip>:<src_port> > >To go through for a while. ipfw(8) dynamic rules will handle this just >fine. In the case of ipfilter keeping state on UDP connections will also allow some ICMP messages (like 'host unreachable' or 'port unreachable') that are 'related' to that particular UDP connection to pass through. >ICMP is another issue. Doing something like, > > pass icmp from any to any out via <external_if> keep-state > >Will let you ping the rest of the word and even let Windows-style >traceroutes work, but that's because it works like this: > > <src_ip>:<src_icmp_type.src_icmp_code> -> <dst_ip> > >Creates a dynamic rule, > > pass icmp from <dst_ip> to <src_ip> > >That is, _any_ ICMP from <dst_ip> to <src_ip> is passed for the >dynamic's rule lifetime. IIRC ipfilter does not allow '_any_ ICMP' in such a case: if you send an 'ICMP echo' with keep-state then only 'ICMP echo reply' packets will be allowed to pass through. Arjan -- Arjan de Vet, Eindhoven, The Netherlands <devet@devet.org> URL: http://www.iae.nl/users/devet/ <Arjan.deVet@adv.iae.nl> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011014180756.A17546>