From owner-freebsd-pf@FreeBSD.ORG Tue Nov 8 07:42:41 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C4F9216A41F for ; Tue, 8 Nov 2005 07:42:41 +0000 (GMT) (envelope-from aalesina@yahoo.com) Received: from web32602.mail.mud.yahoo.com (web32602.mail.mud.yahoo.com [68.142.207.229]) by mx1.FreeBSD.org (Postfix) with SMTP id 402FE43D45 for ; Tue, 8 Nov 2005 07:42:36 +0000 (GMT) (envelope-from aalesina@yahoo.com) Received: (qmail 18258 invoked by uid 60001); 8 Nov 2005 07:42:36 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=0IuHBM1Ye85cLcDlmLu8/pufZCFM2cC/4YouoF08Bn6u08e+DXnWKptr9+7oI3fgr0F3ADihESAdl+fm3YfNxggXBWdjZ4PG8pEsvgDBxobLpbsK0GsowaU56V532Rao24q/hGqN7LEdukmAgPObg6RQgHImeGyHChqxvzETn/A= ; Message-ID: <20051108074236.18256.qmail@web32602.mail.mud.yahoo.com> Received: from [24.6.214.44] by web32602.mail.mud.yahoo.com via HTTP; Mon, 07 Nov 2005 23:42:36 PST Date: Mon, 7 Nov 2005 23:42:36 -0800 (PST) From: Alberto Alesina To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: PF "keep state" for ICMP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2005 07:42:41 -0000 Hello, I have a question about ICMP states while using the "keep state" flags for PF rules. Intf-A A ----- B------ C B is running PF on FreeBSD 5.4 and has a rule with "keep state" for ICMP traffic in the "out" direction on Intf-A. There is also a rule to block all traffic in the "in" direction on Intf-A Now, if a ping is initiated from host C to host A, a state is created with the ICMP ID and source address and destination address as key. My question is - would *only* ICMP echo *replies* be allowed back against that state? Or, would *any* ICMP traffic with the corresponding ICMP ID, source address and destination address be allowed? If *any* ICMP traffic is allowed back, if I happen to initiate ICMP echo *requests* from A to C (picking the same ICMP ID as the one in the state created by the ICMP echo requests from C to A), wouldn't that be a case where you can bypass the PF firewall? Thank you very much. Alberto Alesina. __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com