Date: Mon, 7 Nov 2005 23:42:36 -0800 (PST) From: Alberto Alesina <aalesina@yahoo.com> To: freebsd-pf@freebsd.org Subject: PF "keep state" for ICMP Message-ID: <20051108074236.18256.qmail@web32602.mail.mud.yahoo.com>
next in thread | raw e-mail | index | archive | help
Hello, I have a question about ICMP states while using the "keep state" flags for PF rules. Intf-A A ----- B------ C B is running PF on FreeBSD 5.4 and has a rule with "keep state" for ICMP traffic in the "out" direction on Intf-A. There is also a rule to block all traffic in the "in" direction on Intf-A Now, if a ping is initiated from host C to host A, a state is created with the ICMP ID and source address and destination address as key. My question is - would *only* ICMP echo *replies* be allowed back against that state? Or, would *any* ICMP traffic with the corresponding ICMP ID, source address and destination address be allowed? If *any* ICMP traffic is allowed back, if I happen to initiate ICMP echo *requests* from A to C (picking the same ICMP ID as the one in the state created by the ICMP echo requests from C to A), wouldn't that be a case where you can bypass the PF firewall? Thank you very much. Alberto Alesina. __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051108074236.18256.qmail>