From owner-freebsd-hackers Thu Aug 2 11:18:11 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from nipsi.home.net (dsl-213-023-032-244.arcor-ip.net [213.23.32.244]) by hub.freebsd.org (Postfix) with SMTP id B4A3C37B403 for ; Thu, 2 Aug 2001 11:18:07 -0700 (PDT) (envelope-from HypnotiZer@gmx.net) Received: (qmail 1089 invoked from network); 2 Aug 2001 18:16:45 -0000 Received: from nachpolierer.home.net (HELO nachpolierer) (172.16.1.101) by nipsi.home.net with SMTP; 2 Aug 2001 18:16:45 -0000 Message-ID: <000a01c11b7f$ec5a4520$650110ac@nachpolierer> From: "Dennis Berger" To: "Peter Pentchev" Cc: References: <000801c11b66$f57452e0$650110ac@nachpolierer> <20010802202618.A11105@ringworld.oblivion.bg> Subject: Re: keep-state rule for icmp, really stateful ??? Date: Thu, 2 Aug 2001 20:21:18 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Sorry I missed something ... forget ----- Original Message ----- From: "Peter Pentchev" To: "Dennis Berger" Cc: Sent: Thursday, August 02, 2001 7:26 PM Subject: Re: keep-state rule for icmp, really stateful ??? > On Thu, Aug 02, 2001 at 05:22:36PM +0200, Dennis Berger wrote: > > Hi > > I have the following rule allowing traceroute and ping to my server. > > "200 allow icmp from any to any keep-state in recv tun0 icmptype 8" > > Now I would assume that this rule generate two dynamic rules back. > > The fire one is a rule that initiates ping to work properly it's just a dynamic ICMP rule > > 00200 2623 220332 (T 30, # 43) ty 0 icmp, 134.100.58.115 0 <-> 213.23.32.88 0 > > and the second that the traceroute UDP taffic from port 33434-33960 can pass in. > > But what happans ... the rule 200 doesn't open a second dynamic rule to allow udp traffic to specific ports back in, the traceroute UDP traffic will be blocked. To keep the icmp packetfiltering stateful it would be nice to implement this clean. Or maybe it is already implemented in CURRENT tree. What's the current state ? > > Errrr.. maybe it's just me, but I just can't see how a rule that says > 'allow icmp' should allow UDP traffic to pass through.. > Maybe you haven't shown us all the rules? (And I don't necessarily > mean 'all the rules pertaining to icmp and traceroute'.. it might > as well be that some other rule, which you do not consider relevant, > is blocking your traceroute packets.) > > G'luck, > Peter > > -- > I am jealous of the first word in this sentence. > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message