Date: Wed, 12 Mar 2014 00:05:31 -0700 From: Julian Elischer <julian@freebsd.org> To: Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au>, ipfw@freebsd.org Subject: Re: ipfw stateful and ICMP Message-ID: <5320073B.7070006@freebsd.org> In-Reply-To: <531EC3E6.8030604@heuristicsystems.com.au> References: <531E88C3.6030305@freebsd.org> <531EC3E6.8030604@heuristicsystems.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/11/14, 1:05 AM, Dewayne Geraghty wrote: > On 11/03/2014 2:53 PM, Julian Elischer wrote: >> It has annoyed me for some time that icmp packets refering ot an >> ongoing session can not be matched by a dynamic rule that goversn that >> session. >> >> For example, if you have a dynamic rule for tcp 1.2.3.4 port >> 80 from 5.6.7.8 port 10000 then a returning icmp packet giving >> "destination unreachable" and holding the appropriate header >> in it's data segment should probably be allowed to go through >> back to the originator. >> >> Briefly looking at the code I see no sign of this and I haven't seen >> any sign of it in action so I hope I'm not going to get a >> "but it already does that" response. >> >> My way of approaching it would be to change the dynamic rule code so that >> it checks that the ICMP destination address matches the source address >> of the packet fragment in the 'data' section, and then match the data >> segment >> packet header with the dynamic rules instead of the icmp packet itself. >> >> I would also add a sysctl to disable this behaviour, because there is >> always >> someone who doesn't want any change you care to name. >> >> The only way you can allow get icmp packets back to the originating >> sender >> at the moment is to just allow them through without any major filtering. >> That leaves you open to a large attack window. >> >> anyone have violent objections? >> >> (I'm currently rewriting the firewall rules at $DAYJOB and I think I'd >> like to have this, >> but as we're on 8.0 I'll have to wait a while before I can use my own >> patch :-) >> >> Julian >> >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> >> > Julian, > That's a good idea, and I appreciate the feedback opportunity. > > May I suggest a sysctl to enable the behaviour, rather than one to > disable it. For two reasons: so that existing ipfw sites don't find the > need to change or amend existing firewall rules (we typically open icmp > 3 and 11); and how do you envisage "ipfw show" will display this > compound behaviour? I don't know that it need show anything special. the display of dynamic rules might be changed to show something but I haven't thought too much about it yet. > > Regards, Dewayne. > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5320073B.7070006>