From owner-freebsd-security Wed Oct 31 7: 1:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from av-as.infolink.com.br (av-as.infolink.com.br [200.255.108.49]) by hub.freebsd.org (Postfix) with ESMTP id CB4EA37B401 for ; Wed, 31 Oct 2001 07:01:25 -0800 (PST) Received: from diala11 (diala11.infolink.com.br [200.255.108.11]) by av-as.infolink.com.br (Postfix) with SMTP id 171A2103D56 for ; Wed, 31 Oct 2001 13:09:11 -0200 (BRST) Message-ID: <004001c1621c$e85bc820$0b6cffc8@infolink.com.br> Reply-To: "Antonio Carlos Pina" From: "Antonio Carlos Pina" To: References: <009c01c16017$dca045d0$0603a8c0@MIKELT> <20011029153954.B224@gohan.cjclark.org> <005501c1613f$dfb46520$0603a8c0@MIKELT> <20011030164253.C223@gohan.cjclark.org> <000901c1620f$51428530$2801010a@MIKELT> Subject: Re: can I use keep-state for icmp rules? Date: Wed, 31 Oct 2001 13:01:23 -0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Try again: ipfw check-state ipfw add allow icmp from {thishost} to any out via {oif} keep-state ipfw add deny icmp from any to any If your firewall is open by default, all packets will go thru. You have to got it closed by default or explicit deny the packets you don't want, as seen above. You should only ping the host back while the dynamic rule exists. Regards, Antonio Carlos Pina Diretor de Tecnologia (CTO) INFOLINK Internet http://www.infolink.com.br ----- Original Message ----- From: "Michael Scheidell" To: Sent: Wednesday, October 31, 2001 11:24 AM Subject: Re: can I use keep-state for icmp rules? > ----- Original Message ----- > From: "Crist J. Clark" > To: "Michael Scheidell" > Cc: > Sent: Tuesday, October 30, 2001 7:42 PM > Subject: Re: can I use keep-state for icmp rules? > > > > On Tue, Oct 30, 2001 at 07:39:09AM -0500, Michael Scheidell wrote: > > > You mean if I send email to your system, you can immediatly connect to > my > > > internal tcp ports that might not normally have external access > available? > > > > No. If you send out a TCP packet to my system that matches your > > 'keep-state' rule, > > > > TCP > > src_ip.src_port ----> dst_ip.dst_port > > > > I can send _any_ TCP packet back, > > > > TCP > > src_ip.src_port <---- dst_ip.dst_port > > > > And it will pass provided the source and destination IP and ports all > > line up. ipfw(8) does not consider the TCP flags, sequence number, > > > So, is ipfilter MORE statefull? ie, will it check more carefully? > One reason I asked, while testing the ipf icmp rules. > > Step 1: ipfw add allow icmp from {thishost} to any out via {oif} keep-state > Step 2: ping remote host > (works) > Step 3: log on to remote host and ping {thishost} back. I was able to ping > it. > Sorta scared me. (no additional ipfw rules) > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message