From owner-freebsd-pf@FreeBSD.ORG  Tue Nov  8 09:59:06 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9ACAF16A41F
	for <freebsd-pf@freebsd.org>; Tue,  8 Nov 2005 09:59:06 +0000 (GMT)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CC61F43D55
	for <freebsd-pf@freebsd.org>; Tue,  8 Nov 2005 09:59:05 +0000 (GMT)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1])
	by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id jA89x4LO024833
	(version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO);
	Tue, 8 Nov 2005 10:59:04 +0100 (MET)
Received: (from dhartmei@localhost)
	by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id jA89x4jh022933;
	Tue, 8 Nov 2005 10:59:04 +0100 (MET)
Date: Tue, 8 Nov 2005 10:59:03 +0100
From: Daniel Hartmeier <daniel@benzedrine.cx>
To: Alberto Alesina <aalesina@yahoo.com>
Message-ID: <20051108095903.GB6116@insomnia.benzedrine.cx>
References: <20051108074236.18256.qmail@web32602.mail.mud.yahoo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20051108074236.18256.qmail@web32602.mail.mud.yahoo.com>
User-Agent: Mutt/1.5.10i
Cc: freebsd-pf@freebsd.org
Subject: Re: PF "keep state" for ICMP
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2005 09:59:06 -0000

On Mon, Nov 07, 2005 at 11:42:36PM -0800, Alberto Alesina wrote:

> My question is - would *only* ICMP echo *replies* be
> allowed back against that state? Or, would *any* ICMP
> traffic with the corresponding ICMP ID, source address
> and destination address be allowed? 

The latter.

> If *any* ICMP traffic is allowed back, if I happen to
> initiate ICMP echo *requests* from A to C (picking the
> same ICMP ID as the one in the state created by the
> ICMP echo requests from C to A), wouldn't that be a
> case where you can bypass the PF firewall?

If you want to put it that way, yes.

Assuming you're a malicious A, what do you gain, though? You're already
getting pinged by C, so you know it's there. You could already deliver
an arbitrary amount of reply packets. Fingerprinting sillyness?

Daniel