Date: Wed, 31 Oct 2001 20:45:35 +0100 (CET) From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> To: Michael Scheidell <scheidell@fdma.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: can I use keep-state for icmp rules? Message-ID: <Pine.BSF.4.21.0110312035550.424-100000@lhotse.zaraska.dhs.org> In-Reply-To: <000901c1620f$51428530$2801010a@MIKELT>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 31 Oct 2001, Michael Scheidell wrote:
<snip>
> So, is ipfilter MORE statefull? ie, will it check more carefully?
At least with TCP, yes.
> One reason I asked, while testing the ipf icmp rules.
> Step 1: ipfw add allow icmp from {thishost} to any out via {oif} keep-state
> Step 2: ping remote host
> (works)
> Step 3: log on to remote host and ping {thishost} back. I was able to ping
> it.
> Sorta scared me. (no additional ipfw rules)
See my previous mail on this topic. keep-state will allow back _any_ ICMP
from host you ping, so if you ping them, they may ping you back until
dynamic rule expires (note however, that _theoretically_ it may never
expire, since it will be constantly refreshed by your ping replies). In
order to prevent this from happening one should filter basing on ICMP
types. ICMP may be effectively filtered even in non-stateful manner. See
my previous post for a little more detailed discussion.
Krzysztof
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0110312035550.424-100000>