From owner-freebsd-security Wed Oct 31 14: 7:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id 1FF0037B403 for ; Wed, 31 Oct 2001 14:07:09 -0800 (PST) Received: from user-2ivfo13.dialup.mindspring.com ([165.247.224.35] helo=gohan.cjclark.org) by albatross.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 15z3Vr-0002ln-00; Wed, 31 Oct 2001 14:07:08 -0800 Received: (from cjc@localhost) by gohan.cjclark.org (8.11.6/8.11.1) id f9VLEYe00399; Wed, 31 Oct 2001 13:14:34 -0800 (PST) (envelope-from cjc) Date: Wed, 31 Oct 2001 13:14:34 -0800 From: "Crist J. Clark" To: xlr82xs@sdf.lonestar.org Cc: freebsd-security@freebsd.org Subject: Re: can I use keep-state for icmp rules? Message-ID: <20011031131434.B246@gohan.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <009c01c16017$dca045d0$0603a8c0@MIKELT> <000901c1620f$51428530$2801010a@MIKELT> <004001c1621c$e85bc820$0b6cffc8@infolink.com.br> <20011031152625.8040B137CB@xlr82xs.shacknet.nu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011031152625.8040B137CB@xlr82xs.shacknet.nu>; from xlr82xs@xlr82xs.shacknet.nu on Thu, Nov 01, 2001 at 01:26:21AM +1000 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 01, 2001 at 01:26:21AM +1000, David Trzcinski wrote: [snip] > i dont use keep-state for my tcp either, with > > ipfw add allow tcp from any to any out via > ipfw add allow log tcp from any to any 80 in via setup > ipfw add allow tcp from any to any in via connected > ipfw add deny log tcp from any to any in via > > which, as far as i know should stop the problems mentioned with useing > keepstate.. > > if i'm wrong, please tell me :) Doing a stateless packet filter for TCP has some problems. It is trivial to scan for the topology of the network behind the firewall for example. It is possible to fingerprint network stacks to some extent through a stateless packet filter. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message