From owner-freebsd-security Tue Oct 30 7:29:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 5499B37B403 for ; Tue, 30 Oct 2001 07:29:55 -0800 (PST) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id f9UFThb08805; Tue, 30 Oct 2001 10:29:43 -0500 (EST) Date: Tue, 30 Oct 2001 10:29:43 -0500 (EST) From: Ralph Huntington To: Michael Scheidell Cc: Subject: Re: can I use keep-state for icmp rules? In-Reply-To: <005501c1613f$dfb46520$0603a8c0@MIKELT> Message-ID: <20011030102625.U73979-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > ipfw(8) doesn't know anything about TCP handshakes. You may be under > > the impression that ipfw(8) actually tracks the state of TCP > > connections. It doesn't really. The flags in TCP packets can affect > > the lifetime of the rule, but it doesn't really track the state. > > You mean if I send email to your system, you can immediatly connect to > my internal tcp ports that might not normally have external access > available? ipfw does not really track the state, but ipfilter (ipf) does. My understanding (please correct me if I'm wrong!) is that ipfw could be fooled by incoming packets spoofing the state of the connection, whereas ipf keeps its own table and relies on that instead of the incoming packets' assertions. -=r=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message