From owner-freebsd-ipfw Fri Jul 12 22:27:56 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0CAC337B400 for ; Fri, 12 Jul 2002 22:27:54 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 686C143E65 for ; Fri, 12 Jul 2002 22:27:53 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc02.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020713052752.SCFE6023.sccrmhc02.attbi.com@blossom.cjclark.org>; Sat, 13 Jul 2002 05:27:52 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g6D5RpJK049122; Fri, 12 Jul 2002 22:27:51 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g6D5Rptm049121; Fri, 12 Jul 2002 22:27:51 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Fri, 12 Jul 2002 22:27:50 -0700 From: "Crist J. Clark" To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG Subject: Re: RFC: inconsistent behaviour on packets generated by the firewall Message-ID: <20020713052750.GA48937@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <20020704043409.A26837@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020704043409.A26837@iguana.icir.org> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Jul 04, 2002 at 04:34:09AM -0700, Luigi Rizzo wrote: > Hi, > i was looking at the implementation of ipfw rules which generate > a feedback packet back to the source (reset, reject and unreach) > and i realised that there is a potential problem here... > > Some ICMP packets generated by the host bypass the firewall, but > TCP RST do not, so they can be blocked themselves (this is the way > the old ipfw works, and there is code to prevent loops). > > I think policies should be consistent -- either all packets (including > icmps generated by the firewal) should go through the firewall again > (with proper countermeasures to avoid loops), or all packets generated > by the firewall should bypass the firewall and go to the correct > destination. > > So, what do we want to do ? I would initially say that packets generated by a firewall rule should go out without being filtered again. That is the simplest. Simple makes for better security. I've been trying to think of configurations where the only way to control where replies go is by outgoing filter rules, but I haven't been able to think of any. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message