From owner-freebsd-security Wed Oct 31 7:26:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from xlr82xs.shacknet.nu (untimed-10.bri.eis.net.au [203.12.171.225]) by hub.freebsd.org (Postfix) with ESMTP id 1672D37B401 for ; Wed, 31 Oct 2001 07:26:33 -0800 (PST) Received: from there (xlr82xs.shacknet.nu [127.0.0.1]) by xlr82xs.shacknet.nu (Postfix) with SMTP id 8040B137CB for ; Thu, 1 Nov 2001 01:26:25 +1000 (EST) Content-Type: text/plain; charset="iso-8859-1" From: David Trzcinski Reply-To: xlr82xs@sdf.lonestar.org To: freebsd-security@FreeBSD.ORG Subject: Re: can I use keep-state for icmp rules? Date: Thu, 1 Nov 2001 01:26:21 +1000 X-Mailer: KMail [version 1.3] References: <009c01c16017$dca045d0$0603a8c0@MIKELT> <000901c1620f$51428530$2801010a@MIKELT> <004001c1621c$e85bc820$0b6cffc8@infolink.com.br> In-Reply-To: <004001c1621c$e85bc820$0b6cffc8@infolink.com.br> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20011031152625.8040B137CB@xlr82xs.shacknet.nu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org heh this kinda makes me wonder why people use keep-state :P ipfw add allow icmp from any to any out via icmptype 8 ipfw add allow icmp from any to in via icmptype 0 will work fine for pings, just change the icmptypes to suit what you want to do... you dont even need the outbound one if you allow all outbound traffic... i dont use keep-state for my tcp either, with ipfw add allow tcp from any to any out via ipfw add allow log tcp from any to any 80 in via setup ipfw add allow tcp from any to any in via connected ipfw add deny log tcp from any to any in via which, as far as i know should stop the problems mentioned with useing keepstate.. if i'm wrong, please tell me :) On Thu, 1 Nov 2001 01:01, Antonio Carlos Pina wrote: > Try again: > > ipfw check-state > ipfw add allow icmp from {thishost} to any out via {oif} keep-state > ipfw add deny icmp from any to any > > If your firewall is open by default, all packets will go thru. You have to > got it closed by default or explicit deny the packets you don't want, as > seen above. > > You should only ping the host back while the dynamic rule exists. > > Regards, > Antonio Carlos Pina > Diretor de Tecnologia (CTO) > INFOLINK Internet > http://www.infolink.com.br > > ----- Original Message ----- > From: "Michael Scheidell" > To: > Sent: Wednesday, October 31, 2001 11:24 AM > Subject: Re: can I use keep-state for icmp rules? > > > ----- Original Message ----- > > From: "Crist J. Clark" > > To: "Michael Scheidell" > > Cc: > > Sent: Tuesday, October 30, 2001 7:42 PM > > Subject: Re: can I use keep-state for icmp rules? > > > > > On Tue, Oct 30, 2001 at 07:39:09AM -0500, Michael Scheidell wrote: > > > > You mean if I send email to your system, you can immediatly connect > > > > to > > > > my > > > > > > internal tcp ports that might not normally have external access > > > > available? > > > > > No. If you send out a TCP packet to my system that matches your > > > 'keep-state' rule, > > > > > > TCP > > > src_ip.src_port ----> dst_ip.dst_port > > > > > > I can send _any_ TCP packet back, > > > > > > TCP > > > src_ip.src_port <---- dst_ip.dst_port > > > > > > And it will pass provided the source and destination IP and ports all > > > line up. ipfw(8) does not consider the TCP flags, sequence number, > > > > So, is ipfilter MORE statefull? ie, will it check more carefully? > > One reason I asked, while testing the ipf icmp rules. > > > > Step 1: ipfw add allow icmp from {thishost} to any out via {oif} > > keep-state > > > Step 2: ping remote host > > (works) > > Step 3: log on to remote host and ping {thishost} back. I was able to > > ping > > > it. > > Sorta scared me. (no additional ipfw rules) > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Weird enough for government work. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message