Date: Wed, 31 Oct 2001 13:01:23 -0200 From: "Antonio Carlos Pina" <apina@infolink.com.br> To: <freebsd-security@freebsd.org> Subject: Re: can I use keep-state for icmp rules? Message-ID: <004001c1621c$e85bc820$0b6cffc8@infolink.com.br> References: <009c01c16017$dca045d0$0603a8c0@MIKELT> <20011029153954.B224@gohan.cjclark.org> <005501c1613f$dfb46520$0603a8c0@MIKELT> <20011030164253.C223@gohan.cjclark.org> <000901c1620f$51428530$2801010a@MIKELT>
next in thread | previous in thread | raw e-mail | index | archive | help
Try again:
ipfw check-state
ipfw add allow icmp from {thishost} to any out via {oif} keep-state
ipfw add deny icmp from any to any
If your firewall is open by default, all packets will go thru. You have to
got it closed by default or explicit deny the packets you don't want, as
seen above.
You should only ping the host back while the dynamic rule exists.
Regards,
Antonio Carlos Pina
Diretor de Tecnologia (CTO)
INFOLINK Internet
http://www.infolink.com.br
----- Original Message -----
From: "Michael Scheidell" <scheidell@fdma.com>
To: <freebsd-security@freebsd.org>
Sent: Wednesday, October 31, 2001 11:24 AM
Subject: Re: can I use keep-state for icmp rules?
> ----- Original Message -----
> From: "Crist J. Clark" <cristjc@earthlink.net>
> To: "Michael Scheidell" <scheidell@fdma.com>
> Cc: <freebsd-security@freebsd.org>
> Sent: Tuesday, October 30, 2001 7:42 PM
> Subject: Re: can I use keep-state for icmp rules?
>
>
> > On Tue, Oct 30, 2001 at 07:39:09AM -0500, Michael Scheidell wrote:
> > > You mean if I send email to your system, you can immediatly connect to
> my
> > > internal tcp ports that might not normally have external access
> available?
> >
> > No. If you send out a TCP packet to my system that matches your
> > 'keep-state' rule,
> >
> > TCP
> > src_ip.src_port ----> dst_ip.dst_port
> >
> > I can send _any_ TCP packet back,
> >
> > TCP
> > src_ip.src_port <---- dst_ip.dst_port
> >
> > And it will pass provided the source and destination IP and ports all
> > line up. ipfw(8) does not consider the TCP flags, sequence number,
>
>
> So, is ipfilter MORE statefull? ie, will it check more carefully?
> One reason I asked, while testing the ipf icmp rules.
>
> Step 1: ipfw add allow icmp from {thishost} to any out via {oif}
keep-state
> Step 2: ping remote host
> (works)
> Step 3: log on to remote host and ping {thishost} back. I was able to
ping
> it.
> Sorta scared me. (no additional ipfw rules)
>
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004001c1621c$e85bc820$0b6cffc8>