Date: Tue, 11 Mar 2014 19:05:58 +1100 From: Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au> To: Julian Elischer <julian@freebsd.org>, ipfw@freebsd.org Subject: Re: ipfw stateful and ICMP Message-ID: <531EC3E6.8030604@heuristicsystems.com.au> In-Reply-To: <531E88C3.6030305@freebsd.org> References: <531E88C3.6030305@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/03/2014 2:53 PM, Julian Elischer wrote: > It has annoyed me for some time that icmp packets refering ot an > ongoing session can not be matched by a dynamic rule that goversn that > session. > > For example, if you have a dynamic rule for tcp 1.2.3.4 port > 80 from 5.6.7.8 port 10000 then a returning icmp packet giving > "destination unreachable" and holding the appropriate header > in it's data segment should probably be allowed to go through > back to the originator. > > Briefly looking at the code I see no sign of this and I haven't seen > any sign of it in action so I hope I'm not going to get a > "but it already does that" response. > > My way of approaching it would be to change the dynamic rule code so that > it checks that the ICMP destination address matches the source address > of the packet fragment in the 'data' section, and then match the data > segment > packet header with the dynamic rules instead of the icmp packet itself. > > I would also add a sysctl to disable this behaviour, because there is > always > someone who doesn't want any change you care to name. > > The only way you can allow get icmp packets back to the originating > sender > at the moment is to just allow them through without any major filtering. > That leaves you open to a large attack window. > > anyone have violent objections? > > (I'm currently rewriting the firewall rules at $DAYJOB and I think I'd > like to have this, > but as we're on 8.0 I'll have to wait a while before I can use my own > patch :-) > > Julian > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > Julian, That's a good idea, and I appreciate the feedback opportunity. May I suggest a sysctl to enable the behaviour, rather than one to disable it. For two reasons: so that existing ipfw sites don't find the need to change or amend existing firewall rules (we typically open icmp 3 and 11); and how do you envisage "ipfw show" will display this compound behaviour? Regards, Dewayne.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?531EC3E6.8030604>