From owner-freebsd-stable  Sun Oct 14  9: 8: 6 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from b80216.upc-b.chello.nl (b80216.upc-b.chello.nl [212.83.80.216])
	by hub.freebsd.org (Postfix) with ESMTP id BC78037B407
	for <stable@freebsd.org>; Sun, 14 Oct 2001 09:07:58 -0700 (PDT)
Received: from adv.devet.org (adv.devet.org [192.168.1.2])
	by b80216.upc-b.chello.nl (Postfix) with ESMTP id 3120068CC
	for <stable@freebsd.org>; Sun, 14 Oct 2001 18:07:57 +0200 (CEST)
Received: by adv.devet.org (Postfix, from userid 100)
	id C98C73E13; Sun, 14 Oct 2001 18:07:56 +0200 (CEST)
Date: Sun, 14 Oct 2001 18:07:56 +0200
To: stable@freebsd.org
Subject: Re: IPFW or IPFILTER?
Message-ID: <20011014180756.A17546@adv.devet.org>
References: <Pine.GSO.4.21.0110121216390.27495-100000@sun10pg2.wam.umd.edu> <20011012185458.K69352-100000@darkwing.turbo.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20011012184741.D6274@blossom.cjclark.org>
User-Agent: Mutt/1.3.22.1i
X-Newsgroups: list.freebsd.stable
Organization: Eindhoven, the Netherlands
From: devet@devet.org (Arjan de Vet)
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

In article <20011012184741.D6274@blossom.cjclark.org> you write:

>"Keeping state" on UDP (a stateless protocol, BTW) is pretty easy. You
>see a packet,
>
>  <src_ip>:<src_port> -> <dst_ip>:<dst_port>
>
>So you then allow,
>
>  <dst_ip>:<dst_port> -> <src_ip>:<src_port>
>
>To go through for a while. ipfw(8) dynamic rules will handle this just
>fine.

In the case of ipfilter keeping state on UDP connections will also allow
some ICMP messages (like 'host unreachable' or 'port unreachable') that
are 'related' to that particular UDP connection to pass through.

>ICMP is another issue. Doing something like,
>
>  pass icmp from any to any out via <external_if> keep-state
>
>Will let you ping the rest of the word and even let Windows-style
>traceroutes work, but that's because it works like this:
>
>  <src_ip>:<src_icmp_type.src_icmp_code> -> <dst_ip>
>
>Creates a dynamic rule,
>
>  pass icmp from <dst_ip> to <src_ip>
>
>That is, _any_ ICMP from <dst_ip> to <src_ip> is passed for the
>dynamic's rule lifetime.

IIRC ipfilter does not allow '_any_ ICMP' in such a case: if you send an
'ICMP echo' with keep-state then only 'ICMP echo reply' packets will be
allowed to pass through.

Arjan

-- 
Arjan de Vet, Eindhoven, The Netherlands               <devet@devet.org>
URL: http://www.iae.nl/users/devet/             <Arjan.deVet@adv.iae.nl>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message