From owner-freebsd-security Tue Oct 30 21: 3: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from swan.prod.itd.earthlink.net (swan.mail.pas.earthlink.net [207.217.120.123]) by hub.freebsd.org (Postfix) with ESMTP id 6E3CF37B403 for ; Tue, 30 Oct 2001 21:02:59 -0800 (PST) Received: from user-38lc2so.dialup.mindspring.com ([209.86.11.152] helo=gohan.cjclark.org) by swan.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 15ynWi-0005GO-00; Tue, 30 Oct 2001 21:02:58 -0800 Received: (from cjc@localhost) by gohan.cjclark.org (8.11.6/8.11.1) id f9V0gs000523; Tue, 30 Oct 2001 16:42:54 -0800 (PST) (envelope-from cjc) Date: Tue, 30 Oct 2001 16:42:53 -0800 From: "Crist J. Clark" To: Michael Scheidell Cc: freebsd-security@freebsd.org Subject: Re: can I use keep-state for icmp rules? Message-ID: <20011030164253.C223@gohan.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <009c01c16017$dca045d0$0603a8c0@MIKELT> <20011029153954.B224@gohan.cjclark.org> <005501c1613f$dfb46520$0603a8c0@MIKELT> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <005501c1613f$dfb46520$0603a8c0@MIKELT>; from scheidell@fdma.com on Tue, Oct 30, 2001 at 07:39:09AM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Oct 30, 2001 at 07:39:09AM -0500, Michael Scheidell wrote: > From: ""Crist J. Clark"" > Newsgroups: local.freebsd.security > Sent: Monday, October 29, 2001 8:14 PM > Subject: Re: can I use keep-state for icmp rules? > > > > Does it _really_ check what? The rule you have will allow any ICMP out > > of your network and create a dynamic rule to allow any ICMP back into > > the network from the destination of your outgoing message. > > > > > like tcp, thewre is the syn/ack/fin > > > handshake, will it only allow return icmp for outgoing? > > > > ipfw(8) doesn't know anything about TCP handshakes. You may be under > > the impression that ipfw(8) actually tracks the state of TCP > > connections. It doesn't really. The flags in TCP packets can affect > > the lifetime of the rule, but it doesn't really track the state. > You mean if I send email to your system, you can immediatly connect to my > internal tcp ports that might not normally have external access available? No. If you send out a TCP packet to my system that matches your 'keep-state' rule, TCP src_ip.src_port ----> dst_ip.dst_port I can send _any_ TCP packet back, TCP src_ip.src_port <---- dst_ip.dst_port And it will pass provided the source and destination IP and ports all line up. ipfw(8) does not consider the TCP flags, sequence number, acknowledgement number, etc. when deciding whether to pass or drop. That is, ipfw(8) knows nothing about the state of the TCP connection other than one might exist. However, the TCP flags seen passing by _do_ affect the lifetime of the dynamic rule. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message