From owner-freebsd-security  Wed Oct 31 11:46: 9 2001
Delivered-To: freebsd-security@freebsd.org
Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169])
	by hub.freebsd.org (Postfix) with ESMTP id E35B237B403
	for <freebsd-security@FreeBSD.ORG>; Wed, 31 Oct 2001 11:46:02 -0800 (PST)
Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001)
	id E99BE1DA7; Wed, 31 Oct 2001 20:45:36 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP
	id A05BB55A0; Wed, 31 Oct 2001 20:45:36 +0100 (CET)
Date: Wed, 31 Oct 2001 20:45:35 +0100 (CET)
From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
X-Sender: kzaraska@lhotse.zaraska.dhs.org
To: Michael Scheidell <scheidell@fdma.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: can I use keep-state for icmp rules?
In-Reply-To: <000901c1620f$51428530$2801010a@MIKELT>
Message-ID: <Pine.BSF.4.21.0110312035550.424-100000@lhotse.zaraska.dhs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, 31 Oct 2001, Michael Scheidell wrote:

<snip>

> So, is ipfilter MORE statefull? ie, will it check more carefully?
At least with TCP, yes. 

> One reason I asked, while testing the ipf icmp rules.
> Step 1: ipfw add allow icmp from {thishost} to any out via {oif} keep-state
> Step 2: ping remote host
>     (works)
> Step 3: log on to remote host and ping {thishost} back.  I was able to ping
> it.
>   Sorta scared me. (no additional ipfw rules)
See my previous mail on this topic. keep-state will allow back _any_ ICMP
from host you ping, so if you ping them, they may ping you back until
dynamic rule expires (note however, that _theoretically_ it may never
expire, since it will be constantly refreshed by your ping replies). In
order to prevent this from happening one should filter basing on ICMP
types. ICMP may be effectively filtered even in non-stateful manner. See
my previous post for a little more detailed discussion. 

Krzysztof


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message