Date: Mon, 29 Oct 2001 15:39:54 -0800 From: "Crist J. Clark" <cristjc@earthlink.net> To: Michael Scheidell <scheidell@fdma.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: can I use keep-state for icmp rules? Message-ID: <20011029153954.B224@gohan.cjclark.org> In-Reply-To: <009c01c16017$dca045d0$0603a8c0@MIKELT>; from scheidell@fdma.com on Sun, Oct 28, 2001 at 08:20:12PM -0500 References: <009c01c16017$dca045d0$0603a8c0@MIKELT>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Oct 28, 2001 at 08:20:12PM -0500, Michael Scheidell wrote:
> In trying to allow return icmp packes (i sent out a echo, icmp type 8, want
> to allow the echo reply, 0) or others, can I use keep-state for that rule?
Yes.
> thus:
> allow icmp from $oip to any keep-state out xmit $oif
> (yes, it takes it, doesn't reject it, looks like it puts rules in the
> ipfw -al)
>
> question, does it REALLY check?
Does it _really_ check what? The rule you have will allow any ICMP out
of your network and create a dynamic rule to allow any ICMP back into
the network from the destination of your outgoing message.
> like tcp, thewre is the syn/ack/fin
> handshake, will it only allow return icmp for outgoing?
ipfw(8) doesn't know anything about TCP handshakes. You may be under
the impression that ipfw(8) actually tracks the state of TCP
connections. It doesn't really. The flags in TCP packets can affect
the lifetime of the rule, but it doesn't really track the state.
> does it know to allow a echo (0) for an outgoing 8? (ping?)
Like I said, it works like,
ICMP
scr_ip -----> dst_ip
Creates a dynamic rule that allows,
ICMP
src_ip <----- dst_ip
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011029153954.B224>