From owner-freebsd-security  Tue Oct 30  4:39:22 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.fdma.com (mail.fdma.com [216.241.67.73])
	by hub.freebsd.org (Postfix) with ESMTP id 8F82D37B403
	for <freebsd-security@freebsd.org>; Tue, 30 Oct 2001 04:39:20 -0800 (PST)
Received: from MIKELT (mikelt.scheidell.lan [192.168.3.6])
	by mail.fdma.com (8.11.3/8.11.3) with SMTP id f9UCd9629061
	for <freebsd-security@freebsd.org>; Tue, 30 Oct 2001 07:39:10 -0500 (EST)
Message-ID: <005501c1613f$dfb46520$0603a8c0@MIKELT>
From: "Michael Scheidell" <scheidell@fdma.com>
To: <freebsd-security@freebsd.org>
References: <009c01c16017$dca045d0$0603a8c0@MIKELT> <20011029153954.B224@gohan.cjclark.org>
Subject: Re: can I use keep-state for icmp rules?
Date: Tue, 30 Oct 2001 07:39:09 -0500
Organization: Florida Datamation, Inc.
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

From: ""Crist J. Clark"" <cristjc@earthlink.net>
Newsgroups: local.freebsd.security
Sent: Monday, October 29, 2001 8:14 PM
Subject: Re: can I use keep-state for icmp rules?


> Does it _really_ check what? The rule you have will allow any ICMP out
> of your network and create a dynamic rule to allow any ICMP back into
> the network from the destination of your outgoing message.
>
> > like tcp, thewre is the syn/ack/fin
> > handshake, will it only allow return icmp for outgoing?
>
> ipfw(8) doesn't know anything about TCP handshakes. You may be under
> the impression that ipfw(8) actually tracks the state of TCP
> connections. It doesn't really. The flags in TCP packets can affect
> the lifetime of the rule, but it doesn't really track the state.
You mean if I send email to your system, you can immediatly connect to my
internal tcp ports that might not normally have external access available?



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message