Date: Wed, 07 Jun 2000 16:26:26 +0100 From: David Pick <D.M.Pick@qmw.ac.uk> To: Fernando Schapachnik <fpscha@via-net-works.net.ar> Cc: freebsd-security@freebsd.org Subject: Re: IPFilter question Message-ID: <E12zhis-0001Hq-00@xi.css.qmw.ac.uk> In-Reply-To: Your message of "Wed, 07 Jun 2000 11:52:34 -0300." <200006071452.LAA16205@ns1.via-net-works.net.ar>
next in thread | previous in thread | raw e-mail | index | archive | help
> Using keep state with icmp doesn't allow traceroutes. The = > solution I found was to let icmp types 0 and 11 in. Is this supposed = > to work this way or I misconfigured something? Shouldn't `keep state' b= e = > enough to let traceroute work? The problem is that traceroute works by sending out IP packets with gradually increasing TTL values and gathering the ICMP error reports that are generated as each packet gets so far and the TTL counts down to zero. So the ICMP responses come back from the intermediate router that dropped the output packet. So the source address of the ICMP packet is unpredictable, and the "keep-state" rule only puts in the *destination* IP address as the source address for the returning packets.= The same comments apply to *all* ICMP packets: for example blocking ICMP responses from intermediate routers will also break the MTU path discovery mechanism. Interesting point: could "keep-state" generate a rule that would allow ICMP packets with a destination that matches the source address of the outbound packet, but without any check on the returning source address? This would allow us to block ICMPs being used for back-channel communication unless we're unlucky enough that the sender manages to match the (source) address of an outgoing packet during the time window the kept state entry was in place. -- = David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E12zhis-0001Hq-00>