Date: Tue, 30 Oct 2001 22:51:35 +1000 From: David Trzcinski <xlr82xs@xlr82xs.shacknet.nu> To: "Michael Scheidell" <scheidell@fdma.com>, <freebsd-security@FreeBSD.ORG> Subject: Re: can I use keep-state for icmp rules? Message-ID: <20011030125142.99B76137AB@xlr82xs.shacknet.nu> In-Reply-To: <005501c1613f$dfb46520$0603a8c0@MIKELT> References: <009c01c16017$dca045d0$0603a8c0@MIKELT> <20011029153954.B224@gohan.cjclark.org> <005501c1613f$dfb46520$0603a8c0@MIKELT>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
well, that depends
if you're like me and allow incoming established connections to any port,
connections to be established to certain ports, and deny the rest its
unlikly, unless he connects withough sending a "connect" packet first - ie
syn, whatever...its been a while, bear with me, that he could do that as
though the packet would make it through your firewall your computer
wouldn't/shouldn't reply to it, or establish a connection
atleast thats my understanding of it
dont quote me
dont quote anyone i know
On Tue, 30 Oct 2001 22:39, Michael Scheidell wrote:
> From: ""Crist J. Clark"" <cristjc@earthlink.net>
> Newsgroups: local.freebsd.security
> Sent: Monday, October 29, 2001 8:14 PM
> Subject: Re: can I use keep-state for icmp rules?
>
> > Does it _really_ check what? The rule you have will allow any ICMP out
> > of your network and create a dynamic rule to allow any ICMP back into
> > the network from the destination of your outgoing message.
> >
> > > like tcp, thewre is the syn/ack/fin
> > > handshake, will it only allow return icmp for outgoing?
> >
> > ipfw(8) doesn't know anything about TCP handshakes. You may be under
> > the impression that ipfw(8) actually tracks the state of TCP
> > connections. It doesn't really. The flags in TCP packets can affect
> > the lifetime of the rule, but it doesn't really track the state.
>
> You mean if I send email to your system, you can immediatly connect to my
> internal tcp ports that might not normally have external access available?
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
- --
Loose bits sink chips.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE73qJYum8ncRDnN44RAoWBAKCg5LX2DkSPn6RhXxCMlU4lHYou1ACdFA6k
DLOlcK2Wu+VPmQfv7jvwjUk=
=+06r
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011030125142.99B76137AB>