From owner-freebsd-security Wed Oct 31 14: 7:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id C604037B401 for ; Wed, 31 Oct 2001 14:07:12 -0800 (PST) Received: from user-2ivfo13.dialup.mindspring.com ([165.247.224.35] helo=gohan.cjclark.org) by albatross.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 15z3Vv-0002ln-00; Wed, 31 Oct 2001 14:07:12 -0800 Received: (from cjc@localhost) by gohan.cjclark.org (8.11.6/8.11.1) id f9VL8Ha00388; Wed, 31 Oct 2001 13:08:18 -0800 (PST) (envelope-from cjc) Date: Wed, 31 Oct 2001 13:08:17 -0800 From: "Crist J. Clark" To: Michael Scheidell Cc: freebsd-security@freebsd.org Subject: Re: can I use keep-state for icmp rules? Message-ID: <20011031130817.A246@gohan.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <009c01c16017$dca045d0$0603a8c0@MIKELT> <20011029153954.B224@gohan.cjclark.org> <005501c1613f$dfb46520$0603a8c0@MIKELT> <20011030164253.C223@gohan.cjclark.org> <000901c1620f$51428530$2801010a@MIKELT> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000901c1620f$51428530$2801010a@MIKELT>; from scheidell@fdma.com on Wed, Oct 31, 2001 at 08:24:05AM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Oct 31, 2001 at 08:24:05AM -0500, Michael Scheidell wrote: [snip] > So, is ipfilter MORE statefull? ie, will it check more carefully? Not sure if checking more "carefully" is an accurate statement, but IPFilter does only allow TCP packets that it "expects" back in. It does track sequence numbers which ipfw(8) does not track at all. > One reason I asked, while testing the ipf icmp rules. > > Step 1: ipfw add allow icmp from {thishost} to any out via {oif} keep-state > Step 2: ping remote host > (works) > Step 3: log on to remote host and ping {thishost} back. I was able to ping > it. > Sorta scared me. (no additional ipfw rules) This is ICMP, not TCP, and yes, this will work. I believe I did already point this out earlier in the thread. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message