From owner-freebsd-security Wed Oct 31 16: 9:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from greg.cex.ca (h24-207-26-100.dlt.dccnet.com [24.207.26.100]) by hub.freebsd.org (Postfix) with SMTP id 55BCF37B406 for ; Wed, 31 Oct 2001 16:09:08 -0800 (PST) Received: (qmail 66699 invoked by uid 1001); 1 Nov 2001 00:09:29 -0000 Mail-Followup-To: freebsd-security@FreeBSD.org Date: Wed, 31 Oct 2001 16:09:28 -0800 From: Greg White To: FreeBSD Security Subject: Re: can I use keep-state for icmp rules? Message-ID: <20011031160928.H58605@greg.cex.ca> References: <009c01c16017$dca045d0$0603a8c0@MIKELT> <20011029153954.B224@gohan.cjclark.org> <005501c1613f$dfb46520$0603a8c0@MIKELT> <20011030164253.C223@gohan.cjclark.org> <000901c1620f$51428530$2801010a@MIKELT> <20011031130817.A246@gohan.cjclark.org> <20011031144209.A89351@bluenugget.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011031144209.A89351@bluenugget.net>; from geniusj@bluenugget.net on Wed, Oct 31, 2001 at 02:42:09PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed Oct 10/31/01, 2001 at 02:42:09PM -0800, Jason DiCioccio wrote: > On Wed, Oct 31, 2001 at 01:08:17PM -0800, Crist J. Clark wrote: > [snip] > > Not sure if checking more "carefully" is an accurate statement, but > > IPFilter does only allow TCP packets that it "expects" back in. It > > does track sequence numbers which ipfw(8) does not track at all. > [snip] > > Now I'm curious. Will using "flags S" after keep state rules in ipfilter > degrade the quality of ipf's stateful inspection? I know it is recommended (at > least on the ipfilter webpage) to use flags S for tcp keep state rules if your > state table is filling up, if not in all cases. I'm just curious to know > whether using that 'flags S' will make the inspection work more like ipfw's. > If so, I might have to reconsider my use of it. :-) No, cannot see how it could. 'flags S' is for the outbound connection, not the packets coming back. Packets coming back are rigorously checked regardless of the rule that caused the state table entry. 'flags S' merely works around protocols which often 'slip state' -- replies come back out-of-sequence, etc. HTTP is really bad for this, e.g. See the ipfilter archives for _lots_ of discussion on this topic. -- Greg White To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message