Date: Thu, 1 Nov 2001 12:17:04 -0800 From: "Crist J. Clark" <cristjc@earthlink.net> To: Mario de Oliveira Lobo Neto <Mlobo@ear.com.br> Cc: freebsd-security@freebsd.org Subject: Re: can I use keep-state for icmp rules? Message-ID: <20011101121704.B4360@blossom.cjclark.org> In-Reply-To: <3BE0FB2F.32137.8E1D80C@localhost>; from Mlobo@ear.com.br on Thu, Nov 01, 2001 at 06:35:16AM -0200 References: <20011031152625.8040B137CB@xlr82xs.shacknet.nu>; <20011031131434.B246@gohan.cjclark.org> <3BE0FB2F.32137.8E1D80C@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 01, 2001 at 06:35:16AM -0200, Mario de Oliveira Lobo Neto wrote:
> > On Thu, Nov 01, 2001 at 01:26:21AM +1000, David Trzcinski wrote:
> > [snip]
> >
> > > i dont use keep-state for my tcp either, with
> > >
> > > ipfw add allow tcp from any to any out via <interface>
> > > ipfw add allow log tcp from any to any 80 in via <interface> setup
> > > ipfw add allow tcp from any to any in via <interface> connected
> > > ipfw add deny log tcp from any to any in via <interface>
> > >
> > > which, as far as i know should stop the problems mentioned with useing
> > > keepstate..
> > >
> > > if i'm wrong, please tell me :)
> >
> > Doing a stateless packet filter for TCP has some problems. It is
> > trivial to scan for the topology of the network behind the firewall
> > for example. It is possible to fingerprint network stacks to some
> > extent through a stateless packet filter.
> > --
> > Crist J. Clark cjclark@alum.mit.edu
>
> Forgive me if this is a stupid question but could you give a hint (or
> directions to learn) when and in which type/port ipfw rules shoud
> keepstate be used ?
ipfw(8)'s "keep-state" rules work well for "outgoing" TCP and UDP. For
incoming connections to a specific service, it really isn't worth the
bother. A portion of firewall setup script might look something like,
ipfw add pass icmp from any to ${internal_net} in via ${oif} icmptypes 0,3,11
ipfw add pass tcp from any to ${web_server} 80 in via ${oif}
ipfw add pass tcp from ${web_server} 80 to any out via ${oif}
ipfw add check-state
ipfw add pass tcp from ${internal_net} to any out via ${oif} keep-state
ipfw add pass udp from ${internal_net} to any out via ${oif} keep-state
Note the first rule. Without it, one might claim we have "broken" IP
connectivity since the various "keep-state" rules will not pass ICMP
error messages associated with their connections. Read any of various
threads where a non-network-savvy administrator is trying to get
traceroute(8) to work for examples of that. (Also, note that the
"check-state" rule in this particular set is gratuitous.)
"keep-state" does have meaning for other protocols (ICMP was the
one that started the thread and it works the same way for others), but
few people will have need for anything besides TCP, UDP, and ICMP.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011101121704.B4360>