From owner-freebsd-questions  Sat Jun 15 10: 8:15 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from web20604.mail.yahoo.com (web20604.mail.yahoo.com [216.136.226.162])
	by hub.freebsd.org (Postfix) with SMTP id 2EFB337B430
	for <questions@FreeBSD.ORG>; Sat, 15 Jun 2002 10:08:09 -0700 (PDT)
Message-ID: <20020615170808.81047.qmail@web20604.mail.yahoo.com>
Received: from [209.173.210.209] by web20604.mail.yahoo.com via HTTP; Sat, 15 Jun 2002 10:08:08 PDT
Date: Sat, 15 Jun 2002 10:08:08 -0700 (PDT)
From: Jon <cykyc@yahoo.com>
Reply-To: cykyc@yahoo.com
Subject: Re: ipfw: stateful rules & UDP/ICMP
To: Ilia Chipitsine <ilia@cgu.chel.su>, questions@FreeBSD.ORG
In-Reply-To: <Pine.BSF.4.10.10206152154500.481-100000@jane.poka.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

--- Ilia Chipitsine <ilia@cgu.chel.su> wrote:
> Dear Sirs,
> 
> do stateful rules have any effect on UDP/ICMP trafic ?

*** This is not an authoritize answer by any means ***

When I was looking into this for ICMP a couple months back w/
probably a 4.5 -S branch, I believe the structure and matching used
didn't take into account the ICMP type and code; iirc, it only
looked at the src_ip, src_port, dst_ip, dst_port, and proto. 

This may have changed as of late, but what I observed was that an
ICMP query (ICMP type 8, code 0) would open up traffic for all ICMP
types and codes.  I just created explicit denies for ICMP traffic I
wasn't expecting (inbound timestamp, address mask, echo requests,
etc), and assumed the risk that someone could perform whatever I
didn't deny during the life of the dynamic rule when I sent out an
ICMP packet that passed the ruleset

Someone else on the list may be able to answer this in more detail.
 Also, this phenomenon may only be true for dynamic rules.

FWIW,

Jon



__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message