Date: Sat, 15 Jun 2002 10:08:08 -0700 (PDT) From: Jon <cykyc@yahoo.com> To: Ilia Chipitsine <ilia@cgu.chel.su>, questions@FreeBSD.ORG Subject: Re: ipfw: stateful rules & UDP/ICMP Message-ID: <20020615170808.81047.qmail@web20604.mail.yahoo.com> In-Reply-To: <Pine.BSF.4.10.10206152154500.481-100000@jane.poka.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--- Ilia Chipitsine <ilia@cgu.chel.su> wrote: > Dear Sirs, > > do stateful rules have any effect on UDP/ICMP trafic ? *** This is not an authoritize answer by any means *** When I was looking into this for ICMP a couple months back w/ probably a 4.5 -S branch, I believe the structure and matching used didn't take into account the ICMP type and code; iirc, it only looked at the src_ip, src_port, dst_ip, dst_port, and proto. This may have changed as of late, but what I observed was that an ICMP query (ICMP type 8, code 0) would open up traffic for all ICMP types and codes. I just created explicit denies for ICMP traffic I wasn't expecting (inbound timestamp, address mask, echo requests, etc), and assumed the risk that someone could perform whatever I didn't deny during the life of the dynamic rule when I sent out an ICMP packet that passed the ruleset Someone else on the list may be able to answer this in more detail. Also, this phenomenon may only be true for dynamic rules. FWIW, Jon __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020615170808.81047.qmail>