Date: Tue, 30 Oct 2001 07:39:09 -0500 From: "Michael Scheidell" <scheidell@fdma.com> To: <freebsd-security@freebsd.org> Subject: Re: can I use keep-state for icmp rules? Message-ID: <005501c1613f$dfb46520$0603a8c0@MIKELT> References: <009c01c16017$dca045d0$0603a8c0@MIKELT> <20011029153954.B224@gohan.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
From: ""Crist J. Clark"" <cristjc@earthlink.net> Newsgroups: local.freebsd.security Sent: Monday, October 29, 2001 8:14 PM Subject: Re: can I use keep-state for icmp rules? > Does it _really_ check what? The rule you have will allow any ICMP out > of your network and create a dynamic rule to allow any ICMP back into > the network from the destination of your outgoing message. > > > like tcp, thewre is the syn/ack/fin > > handshake, will it only allow return icmp for outgoing? > > ipfw(8) doesn't know anything about TCP handshakes. You may be under > the impression that ipfw(8) actually tracks the state of TCP > connections. It doesn't really. The flags in TCP packets can affect > the lifetime of the rule, but it doesn't really track the state. You mean if I send email to your system, you can immediatly connect to my internal tcp ports that might not normally have external access available? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005501c1613f$dfb46520$0603a8c0>