Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 30 Oct 2001 16:42:53 -0800
From:      "Crist J. Clark" <cristjc@earthlink.net>
To:        Michael Scheidell <scheidell@fdma.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: can I use keep-state for icmp rules?
Message-ID:  <20011030164253.C223@gohan.cjclark.org>
In-Reply-To: <005501c1613f$dfb46520$0603a8c0@MIKELT>; from scheidell@fdma.com on Tue, Oct 30, 2001 at 07:39:09AM -0500
References:  <009c01c16017$dca045d0$0603a8c0@MIKELT> <20011029153954.B224@gohan.cjclark.org> <005501c1613f$dfb46520$0603a8c0@MIKELT>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Oct 30, 2001 at 07:39:09AM -0500, Michael Scheidell wrote:
> From: ""Crist J. Clark"" <cristjc@earthlink.net>
> Newsgroups: local.freebsd.security
> Sent: Monday, October 29, 2001 8:14 PM
> Subject: Re: can I use keep-state for icmp rules?
> 
> 
> > Does it _really_ check what? The rule you have will allow any ICMP out
> > of your network and create a dynamic rule to allow any ICMP back into
> > the network from the destination of your outgoing message.
> >
> > > like tcp, thewre is the syn/ack/fin
> > > handshake, will it only allow return icmp for outgoing?
> >
> > ipfw(8) doesn't know anything about TCP handshakes. You may be under
> > the impression that ipfw(8) actually tracks the state of TCP
> > connections. It doesn't really. The flags in TCP packets can affect
> > the lifetime of the rule, but it doesn't really track the state.
> You mean if I send email to your system, you can immediatly connect to my
> internal tcp ports that might not normally have external access available?

No. If you send out a TCP packet to my system that matches your
'keep-state' rule,

                   TCP
  src_ip.src_port ----> dst_ip.dst_port

I can send _any_ TCP packet back,

                   TCP
  src_ip.src_port <---- dst_ip.dst_port

And it will pass provided the source and destination IP and ports all
line up. ipfw(8) does not consider the TCP flags, sequence number,
acknowledgement number, etc. when deciding whether to pass or drop.
That is, ipfw(8) knows nothing about the state of the TCP
connection other than one might exist. However, the TCP flags seen
passing by _do_ affect the lifetime of the dynamic rule.
-- 
Crist J. Clark                           cjclark@alum.mit.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011030164253.C223>