From owner-freebsd-security Sun Oct 28 17:20:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.fdma.com (mail.fdma.com [216.241.67.73]) by hub.freebsd.org (Postfix) with ESMTP id 367AE37B401 for ; Sun, 28 Oct 2001 17:20:21 -0800 (PST) Received: from MIKELT (mikelt.scheidell.lan [192.168.3.6]) by mail.fdma.com (8.11.3/8.11.3) with SMTP id f9T1KDg24490 for ; Sun, 28 Oct 2001 20:20:14 -0500 (EST) Message-ID: <009c01c16017$dca045d0$0603a8c0@MIKELT> From: "Michael Scheidell" To: Subject: can I use keep-state for icmp rules? Date: Sun, 28 Oct 2001 20:20:12 -0500 Organization: Florida Datamation, Inc. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In trying to allow return icmp packes (i sent out a echo, icmp type 8, want to allow the echo reply, 0) or others, can I use keep-state for that rule? thus: allow icmp from $oip to any keep-state out xmit $oif (yes, it takes it, doesn't reject it, looks like it puts rules in the ipfw -al) question, does it REALLY check? like tcp, thewre is the syn/ack/fin handshake, will it only allow return icmp for outgoing? does it know to allow a echo (0) for an outgoing 8? (ping?) Michael Scheidell To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message