From owner-freebsd-security Tue Oct 30 4:51:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from xlr82xs.shacknet.nu (untimed-1.bri.eis.net.au [203.12.171.216]) by hub.freebsd.org (Postfix) with ESMTP id 268CC37B405 for ; Tue, 30 Oct 2001 04:51:47 -0800 (PST) Received: from there (xlr82xs.shacknet.nu [127.0.0.1]) by xlr82xs.shacknet.nu (Postfix) with SMTP id 99B76137AB; Tue, 30 Oct 2001 22:51:42 +1000 (EST) Content-Type: text/plain; charset="iso-8859-1" From: David Trzcinski Reply-To: xlr82xs@sdf.lonestar.org To: "Michael Scheidell" , Subject: Re: can I use keep-state for icmp rules? Date: Tue, 30 Oct 2001 22:51:35 +1000 X-Mailer: KMail [version 1.3] References: <009c01c16017$dca045d0$0603a8c0@MIKELT> <20011029153954.B224@gohan.cjclark.org> <005501c1613f$dfb46520$0603a8c0@MIKELT> In-Reply-To: <005501c1613f$dfb46520$0603a8c0@MIKELT> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20011030125142.99B76137AB@xlr82xs.shacknet.nu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 well, that depends if you're like me and allow incoming established connections to any port, connections to be established to certain ports, and deny the rest its unlikly, unless he connects withough sending a "connect" packet first - ie syn, whatever...its been a while, bear with me, that he could do that as though the packet would make it through your firewall your computer wouldn't/shouldn't reply to it, or establish a connection atleast thats my understanding of it dont quote me dont quote anyone i know On Tue, 30 Oct 2001 22:39, Michael Scheidell wrote: > From: ""Crist J. Clark"" > Newsgroups: local.freebsd.security > Sent: Monday, October 29, 2001 8:14 PM > Subject: Re: can I use keep-state for icmp rules? > > > Does it _really_ check what? The rule you have will allow any ICMP out > > of your network and create a dynamic rule to allow any ICMP back into > > the network from the destination of your outgoing message. > > > > > like tcp, thewre is the syn/ack/fin > > > handshake, will it only allow return icmp for outgoing? > > > > ipfw(8) doesn't know anything about TCP handshakes. You may be under > > the impression that ipfw(8) actually tracks the state of TCP > > connections. It doesn't really. The flags in TCP packets can affect > > the lifetime of the rule, but it doesn't really track the state. > > You mean if I send email to your system, you can immediatly connect to my > internal tcp ports that might not normally have external access available? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message - -- Loose bits sink chips. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE73qJYum8ncRDnN44RAoWBAKCg5LX2DkSPn6RhXxCMlU4lHYou1ACdFA6k DLOlcK2Wu+VPmQfv7jvwjUk= =+06r -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message