Date: Fri, 12 Jul 2002 22:27:50 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: Luigi Rizzo <rizzo@icir.org> Cc: ipfw@FreeBSD.ORG Subject: Re: RFC: inconsistent behaviour on packets generated by the firewall Message-ID: <20020713052750.GA48937@blossom.cjclark.org> In-Reply-To: <20020704043409.A26837@iguana.icir.org> References: <20020704043409.A26837@iguana.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jul 04, 2002 at 04:34:09AM -0700, Luigi Rizzo wrote:
> Hi,
> i was looking at the implementation of ipfw rules which generate
> a feedback packet back to the source (reset, reject and unreach)
> and i realised that there is a potential problem here...
>
> Some ICMP packets generated by the host bypass the firewall, but
> TCP RST do not, so they can be blocked themselves (this is the way
> the old ipfw works, and there is code to prevent loops).
>
> I think policies should be consistent -- either all packets (including
> icmps generated by the firewal) should go through the firewall again
> (with proper countermeasures to avoid loops), or all packets generated
> by the firewall should bypass the firewall and go to the correct
> destination.
>
> So, what do we want to do ?
I would initially say that packets generated by a firewall rule should
go out without being filtered again. That is the simplest. Simple
makes for better security.
I've been trying to think of configurations where the only way to
control where replies go is by outgoing filter rules, but I haven't
been able to think of any.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020713052750.GA48937>