From owner-freebsd-security Thu Nov 1 23:15:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from robin.mail.pas.earthlink.net (robin.mail.pas.earthlink.net [207.217.120.65]) by hub.freebsd.org (Postfix) with ESMTP id D198E37B406 for ; Thu, 1 Nov 2001 23:15:19 -0800 (PST) Received: from dialup-209.247.138.228.dial1.sanjose1.level3.net ([209.247.138.228] helo=blossom.cjclark.org) by robin.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 15zYXu-0000pR-00; Thu, 01 Nov 2001 23:15:19 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fA27Eg606893; Thu, 1 Nov 2001 23:14:42 -0800 (PST) (envelope-from cjc) Date: Thu, 1 Nov 2001 23:14:41 -0800 From: "Crist J. Clark" To: gregw-freebsd-security@greg.cex.ca, freebsd-security@FreeBSD.ORG Subject: Re: can I use keep-state for icmp rules? Message-ID: <20011101231441.I4360@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <009c01c16017$dca045d0$0603a8c0@MIKELT> <20011029153954.B224@gohan.cjclark.org> <005501c1613f$dfb46520$0603a8c0@MIKELT> <20011030164253.C223@gohan.cjclark.org> <000901c1620f$51428530$2801010a@MIKELT> <20011031130817.A246@gohan.cjclark.org> <20011031144209.A89351@bluenugget.net> <20011031160928.H58605@greg.cex.ca> <20011101211351.E4360@blossom.cjclark.org> <20011101222430.O58605@greg.cex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011101222430.O58605@greg.cex.ca>; from gregw-freebsd-security@greg.cex.ca on Thu, Nov 01, 2001 at 10:24:30PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 01, 2001 at 10:24:30PM -0800, Greg White wrote: > On Thu Nov 11/01/01, 2001 at 09:13:51PM -0800, Crist J. Clark wrote: [snip] > > If you only want to catch an outgoing, initial SYN, you want > > 'flags S/SA'. > > Really? That was not my understanding of the ipfilter docs, nor does it > seem to match the output of ipfstat: Oops. You are correct. I misread the ipf(5) manpage. It says in the 'flags' section, However, to guard against weird aberrations, it is necessary to state which flags you are filtering against. However, it later states that the behavior you observed is what actually happens. It is not actually _necessary_ to state which flags you are filtering against. And thinking about this more, I did know this 'cause looking at an old configuration on an OpenBSD host with a firewall, I used this behavior to do some specialized logging. Sorry for the confusion. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message