From owner-freebsd-security Wed Jun 7 8:26:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id 5BC8137B5B3 for ; Wed, 7 Jun 2000 08:26:39 -0700 (PDT) (envelope-from d.m.pick@qmw.ac.uk) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by zeta.qmw.ac.uk with esmtp (Exim 3.02 #1) id 12zhir-0003lt-00; Wed, 07 Jun 2000 16:26:25 +0100 Received: from cgaa180 by xi.css.qmw.ac.uk with local (Exim 1.92 #1) id 12zhis-0001Hq-00; Wed, 7 Jun 2000 16:26:26 +0100 X-Mailer: exmh version 2.0.2 2/24/98 To: Fernando Schapachnik Cc: freebsd-security@freebsd.org Subject: Re: IPFilter question In-reply-to: Your message of "Wed, 07 Jun 2000 11:52:34 -0300." <200006071452.LAA16205@ns1.via-net-works.net.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Date: Wed, 07 Jun 2000 16:26:26 +0100 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Using keep state with icmp doesn't allow traceroutes. The = > solution I found was to let icmp types 0 and 11 in. Is this supposed = > to work this way or I misconfigured something? Shouldn't `keep state' b= e = > enough to let traceroute work? The problem is that traceroute works by sending out IP packets with gradually increasing TTL values and gathering the ICMP error reports that are generated as each packet gets so far and the TTL counts down to zero. So the ICMP responses come back from the intermediate router that dropped the output packet. So the source address of the ICMP packet is unpredictable, and the "keep-state" rule only puts in the *destination* IP address as the source address for the returning packets.= The same comments apply to *all* ICMP packets: for example blocking ICMP responses from intermediate routers will also break the MTU path discovery mechanism. Interesting point: could "keep-state" generate a rule that would allow ICMP packets with a destination that matches the source address of the outbound packet, but without any check on the returning source address? This would allow us to block ICMPs being used for back-channel communication unless we're unlucky enough that the sender manages to match the (source) address of an outgoing packet during the time window the kept state entry was in place. -- = David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message