From owner-freebsd-hackers Thu Aug 2 8:19:32 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from nipsi.home.net (dsl-213-023-032-088.arcor-ip.net [213.23.32.88]) by hub.freebsd.org (Postfix) with SMTP id A418B37B403 for ; Thu, 2 Aug 2001 08:19:25 -0700 (PDT) (envelope-from HypnotiZer@gmx.net) Received: (qmail 35807 invoked from network); 2 Aug 2001 15:18:11 -0000 Received: from nachpolierer.home.net (HELO nachpolierer) (172.16.1.101) by nipsi.home.net with SMTP; 2 Aug 2001 15:18:11 -0000 Message-ID: <000801c11b66$f57452e0$650110ac@nachpolierer> From: "Dennis Berger" To: Subject: keep-state rule for icmp, really stateful ??? Date: Thu, 2 Aug 2001 17:22:36 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0005_01C11B77.B8F581C0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0005_01C11B77.B8F581C0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi I have the following rule allowing traceroute and ping to my server. "200 allow icmp from any to any keep-state in recv tun0 icmptype 8" Now I would assume that this rule generate two dynamic rules back. The fire one is a rule that initiates ping to work properly it's just a = dynamic ICMP rule 00200 2623 220332 (T 30, # 43) ty 0 icmp, 134.100.58.115 0 <-> = 213.23.32.88 0 and the second that the traceroute UDP taffic from port 33434-33960 can = pass in. But what happans ... the rule 200 doesn't open a second dynamic rule to = allow udp traffic to specific ports back in, the traceroute UDP traffic = will be blocked. To keep the icmp packetfiltering stateful it would be = nice to implement this clean. Or maybe it is already implemented in = CURRENT tree. What's the current state ? greets Dennis=20 ------=_NextPart_000_0005_01C11B77.B8F581C0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

I have the following rule allowing = traceroute and=20 ping to my server.

"200 allow icmp from any to any = keep-state in recv=20 tun0 icmptype 8"

Now I would assume that this rule = generate two=20 dynamic rules back.

The fire one is a rule that initiates = ping to work=20 properly it's just a dynamic ICMP rule

00200 2623 220332 (T 30, # 43) ty 0 = icmp,=20 134.100.58.115 0 <-> 213.23.32.88 0

and the second that the traceroute UDP=20 taffic from port 33434-33960 can pass=20 in.

But what happans ... the rule 200 = doesn't=20 open a second dynamic rule to allow udp traffic to specific ports = back=20 in, the traceroute UDP traffic will = be blocked.=20 To keep the icmp packetfiltering stateful it would be nice to implement=20 this clean. Or maybe it is already = implemented in=20 CURRENT tree. What's the current state ?

greets Dennis

------=_NextPart_000_0005_01C11B77.B8F581C0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message