Re: can I use keep-state for icmp rules?

From: David Trzcinski (xlr82xs@xlr82xs.shacknet.nu)
Date: 10/30/01 

From: David Trzcinski <xlr82xs@xlr82xs.shacknet.nu>
To: "Michael Scheidell" <scheidell@fdma.com>, <freebsd-security@FreeBSD.ORG>
Date: Tue, 30 Oct 2001 22:51:35 +1000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

well, that depends
if you're like me and allow incoming established connections to any port,
connections to be established to certain ports, and deny the rest its
unlikly, unless he connects withough sending a "connect" packet first - ie
syn, whatever...its been a while, bear with me, that he could do that as
though the packet would make it through your firewall your computer
wouldn't/shouldn't reply to it, or establish a connection

atleast thats my understanding of it

dont quote me
dont quote anyone i know

On Tue, 30 Oct 2001 22:39, Michael Scheidell wrote:
> From: ""Crist J. Clark"" <cristjc@earthlink.net>
> Newsgroups: local.freebsd.security
> Sent: Monday, October 29, 2001 8:14 PM
> Subject: Re: can I use keep-state for icmp rules?
>
> > Does it _really_ check what? The rule you have will allow any ICMP out
> > of your network and create a dynamic rule to allow any ICMP back into
> > the network from the destination of your outgoing message.
> >
> > > like tcp, thewre is the syn/ack/fin
> > > handshake, will it only allow return icmp for outgoing?
> >
> > ipfw(8) doesn't know anything about TCP handshakes. You may be under
> > the impression that ipfw(8) actually tracks the state of TCP
> > connections. It doesn't really. The flags in TCP packets can affect
> > the lifetime of the rule, but it doesn't really track the state.
>
> You mean if I send email to your system, you can immediatly connect to my
> internal tcp ports that might not normally have external access available?
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

- --
                      Loose bits sink chips.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE73qJYum8ncRDnN44RAoWBAKCg5LX2DkSPn6RhXxCMlU4lHYou1ACdFA6k
DLOlcK2Wu+VPmQfv7jvwjUk=
=+06r
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: NFS inconsistent behaviour
    ... of tcp connections in TIME_WAIT state. ... Why there are so many connections in waiting state? ... and remote port so the ports stay in use for a few minutes. ... I ran out of privileged ports due to treemounting on /net from about 50 ...
    (Linux-Kernel)
  • Re: Speed Mismatch?!?
    ... Try a test with an iperf buffer of less than 1 packet. ... local performance by setting the TCP Receive Window to ... the buffers between Gi ports and Fa ports are not working ... then adding a "buffering" switch to the path would help. ...
    (comp.dcom.sys.cisco)
  • Re: [fw-wiz] Evaluating Firewall
    ... If any state is being kept, only the initial packet / connection traverses ... TCP has more state setup work than UDP, ... Most firewalls have to do a connection lookup for established sessions. ... Do existing connections or old ...
    (Firewall-Wizards)
  • Re: NFS inconsistent behaviour
    ... of tcp connections in TIME_WAIT state. ... Why there are so many connections in waiting state? ... and remote port so the ports stay in use for a few minutes. ... I'd switch to NFS over udp if this is problem. ...
    (Linux-Kernel)
  • Re: iptables strangeness
    ... >>>And why is the SYN ACK packet not ESTABLISHED? ... >>>Nimda infected host made a sequence of connections. ... > the description of the TCP protocol and in iptables. ... NEW is equivalent to the initial TCP SYN request, ...
    (comp.os.linux.security)