From owner-freebsd-security Thu Nov 1 1:35:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from mirage.nlink.com.br (mirage.nlink.com.br [200.249.195.3]) by hub.freebsd.org (Postfix) with SMTP id 9113A37B40A for ; Thu, 1 Nov 2001 01:35:16 -0800 (PST) Received: (qmail 9903 invoked from network); 1 Nov 2001 09:35:14 -0000 Received: from ear.nlink.com.br (HELO ear.com.br) (200.249.196.67) by mirage.nlink.com.br with SMTP; 1 Nov 2001 09:35:14 -0000 Received: from EARMDPA01/SpoolDir by ear.com.br (Mercury 1.48); 1 Nov 01 06:37:12 GMT-3 Received: from SpoolDir by EARMDPA01 (Mercury 1.48); 1 Nov 01 06:35:30 GMT-3 From: "Mario de Oliveira Lobo Neto" Organization: American School of Recife - Brazil To: cjclark@alum.mit.edu Date: Thu, 1 Nov 2001 06:35:16 -0200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: can I use keep-state for icmp rules? Reply-To: mlobo@ear.com.br Cc: freebsd-security@freebsd.org Message-ID: <3BE0FB2F.32137.8E1D80C@localhost> In-reply-to: <20011031131434.B246@gohan.cjclark.org> References: <20011031152625.8040B137CB@xlr82xs.shacknet.nu>; from xlr82xs@xlr82xs.shacknet.nu on Thu, Nov 01, 2001 at 01:26:21AM +1000 X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Thu, Nov 01, 2001 at 01:26:21AM +1000, David Trzcinski wrote: > [snip] > > > i dont use keep-state for my tcp either, with > > > > ipfw add allow tcp from any to any out via > > ipfw add allow log tcp from any to any 80 in via setup > > ipfw add allow tcp from any to any in via connected > > ipfw add deny log tcp from any to any in via > > > > which, as far as i know should stop the problems mentioned with useing > > keepstate.. > > > > if i'm wrong, please tell me :) > > Doing a stateless packet filter for TCP has some problems. It is > trivial to scan for the topology of the network behind the firewall > for example. It is possible to fingerprint network stacks to some > extent through a stateless packet filter. > -- > Crist J. Clark cjclark@alum.mit.edu Forgive me if this is a stupid question but could you give a hint (or directions to learn) when and in which type/port ipfw rules shoud keepstate be used ? Thanks - *** Mario Lobo *** Head of Computer Department *** American School of Recife To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message