Date: Thu, 2 Aug 2001 17:22:36 +0200 From: "Dennis Berger" <HypnotiZer@gmx.net> To: <freebsd-hackers@freebsd.org> Subject: keep-state rule for icmp, really stateful ??? Message-ID: <000801c11b66$f57452e0$650110ac@nachpolierer>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_0005_01C11B77.B8F581C0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi I have the following rule allowing traceroute and ping to my server. "200 allow icmp from any to any keep-state in recv tun0 icmptype 8" Now I would assume that this rule generate two dynamic rules back. The fire one is a rule that initiates ping to work properly it's just a = dynamic ICMP rule 00200 2623 220332 (T 30, # 43) ty 0 icmp, 134.100.58.115 0 <-> = 213.23.32.88 0 and the second that the traceroute UDP taffic from port 33434-33960 can = pass in. But what happans ... the rule 200 doesn't open a second dynamic rule to = allow udp traffic to specific ports back in, the traceroute UDP traffic = will be blocked. To keep the icmp packetfiltering stateful it would be = nice to implement this clean. Or maybe it is already implemented in = CURRENT tree. What's the current state ? greets Dennis=20 ------=_NextPart_000_0005_01C11B77.B8F581C0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.3315.2870" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>Hi</FONT></DIV> <DIV><FONT face=3DArial size=3D2>I have the following rule allowing = traceroute and=20 ping to my server.</FONT></DIV> <DIV><FONT face=3DArial size=3D2>"200 allow icmp from any to any = keep-state in recv=20 tun0 icmptype 8"</FONT></DIV> <DIV><FONT face=3DArial size=3D2>Now I would assume that this rule = generate two=20 dynamic rules back.</FONT></DIV> <DIV><FONT face=3DArial size=3D2>The fire one is a rule that initiates = ping to work=20 properly it's just a dynamic ICMP rule</FONT></DIV> <DIV><FONT face=3DArial size=3D2>00200 2623 220332 (T 30, # 43) ty 0 = icmp,=20 134.100.58.115 0 <-> 213.23.32.88 0</FONT></DIV> <DIV><FONT face=3DArial size=3D2>and the second that the traceroute UDP=20 taffic from port <FONT face=3DArial = size=3D2>33434-33960</FONT> can pass=20 in.</FONT></DIV> <DIV><FONT face=3DArial size=3D2>But what happans ... the rule 200 = doesn't=20 open a second dynamic rule to allow udp traffic to specific ports = back=20 in</FONT><FONT face=3DArial size=3D2>, the traceroute UDP traffic will = be blocked.=20 To keep the icmp packetfiltering stateful it would be nice to implement=20 this</FONT><FONT face=3DArial size=3D2> clean. Or maybe it is already = implemented in=20 CURRENT tree. What's the current state ?</FONT></DIV> <DIV><FONT face=3DArial size=3D2>greets Dennis </FONT></DIV> <DIV><FONT face=3DArial size=3D2> <DIV> </DIV></FONT></DIV></BODY></HTML> ------=_NextPart_000_0005_01C11B77.B8F581C0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000801c11b66$f57452e0$650110ac>