Date: Tue, 8 Nov 2005 10:59:03 +0100 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Alberto Alesina <aalesina@yahoo.com> Cc: freebsd-pf@freebsd.org Subject: Re: PF "keep state" for ICMP Message-ID: <20051108095903.GB6116@insomnia.benzedrine.cx> In-Reply-To: <20051108074236.18256.qmail@web32602.mail.mud.yahoo.com> References: <20051108074236.18256.qmail@web32602.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 07, 2005 at 11:42:36PM -0800, Alberto Alesina wrote: > My question is - would *only* ICMP echo *replies* be > allowed back against that state? Or, would *any* ICMP > traffic with the corresponding ICMP ID, source address > and destination address be allowed? The latter. > If *any* ICMP traffic is allowed back, if I happen to > initiate ICMP echo *requests* from A to C (picking the > same ICMP ID as the one in the state created by the > ICMP echo requests from C to A), wouldn't that be a > case where you can bypass the PF firewall? If you want to put it that way, yes. Assuming you're a malicious A, what do you gain, though? You're already getting pinged by C, so you know it's there. You could already deliver an arbitrary amount of reply packets. Fingerprinting sillyness? Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051108095903.GB6116>