Date: Wed, 31 Oct 2001 13:08:17 -0800 From: "Crist J. Clark" <cristjc@earthlink.net> To: Michael Scheidell <scheidell@fdma.com> Cc: freebsd-security@freebsd.org Subject: Re: can I use keep-state for icmp rules? Message-ID: <20011031130817.A246@gohan.cjclark.org> In-Reply-To: <000901c1620f$51428530$2801010a@MIKELT>; from scheidell@fdma.com on Wed, Oct 31, 2001 at 08:24:05AM -0500 References: <009c01c16017$dca045d0$0603a8c0@MIKELT> <20011029153954.B224@gohan.cjclark.org> <005501c1613f$dfb46520$0603a8c0@MIKELT> <20011030164253.C223@gohan.cjclark.org> <000901c1620f$51428530$2801010a@MIKELT>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 31, 2001 at 08:24:05AM -0500, Michael Scheidell wrote:
[snip]
> So, is ipfilter MORE statefull? ie, will it check more carefully?
Not sure if checking more "carefully" is an accurate statement, but
IPFilter does only allow TCP packets that it "expects" back in. It
does track sequence numbers which ipfw(8) does not track at all.
> One reason I asked, while testing the ipf icmp rules.
>
> Step 1: ipfw add allow icmp from {thishost} to any out via {oif} keep-state
> Step 2: ping remote host
> (works)
> Step 3: log on to remote host and ping {thishost} back. I was able to ping
> it.
> Sorta scared me. (no additional ipfw rules)
This is ICMP, not TCP, and yes, this will work. I believe I did
already point this out earlier in the thread.
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011031130817.A246>