Re: can I use keep-state for icmp rules?

From: Crist J. Clark (cristjc@earthlink.net)
Date: 10/31/01 

Date: Tue, 30 Oct 2001 16:42:53 -0800
From: "Crist J. Clark" <cristjc@earthlink.net>
To: Michael Scheidell <scheidell@fdma.com>

On Tue, Oct 30, 2001 at 07:39:09AM -0500, Michael Scheidell wrote:
> From: ""Crist J. Clark"" <cristjc@earthlink.net>
> Newsgroups: local.freebsd.security
> Sent: Monday, October 29, 2001 8:14 PM
> Subject: Re: can I use keep-state for icmp rules?
>
>
> > Does it _really_ check what? The rule you have will allow any ICMP out
> > of your network and create a dynamic rule to allow any ICMP back into
> > the network from the destination of your outgoing message.
> >
> > > like tcp, thewre is the syn/ack/fin
> > > handshake, will it only allow return icmp for outgoing?
> >
> > ipfw(8) doesn't know anything about TCP handshakes. You may be under
> > the impression that ipfw(8) actually tracks the state of TCP
> > connections. It doesn't really. The flags in TCP packets can affect
> > the lifetime of the rule, but it doesn't really track the state.
> You mean if I send email to your system, you can immediatly connect to my
> internal tcp ports that might not normally have external access available?

No. If you send out a TCP packet to my system that matches your
'keep-state' rule,

                   TCP
  src_ip.src_port ----> dst_ip.dst_port

I can send _any_ TCP packet back,

                   TCP
  src_ip.src_port <---- dst_ip.dst_port

And it will pass provided the source and destination IP and ports all
line up. ipfw(8) does not consider the TCP flags, sequence number,
acknowledgement number, etc. when deciding whether to pass or drop.
That is, ipfw(8) knows nothing about the state of the TCP
connection other than one might exist. However, the TCP flags seen
passing by _do_ affect the lifetime of the dynamic rule. 

-- 
Crist J. Clark                           cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: UDP dont fragment bit
    ... >>Often there already is need for a tcp connection for authentication, ... >>different than TCP packets it wouldnt really give anything necessarily ... You assume such an application would need ICMP. ... network congestion is correct. ...
    (freebsd-net)
  • Re: network problems 7.0-p3: sendto: Operation not permitted
    ... I believe that fix was also just for TCP. ... This indicates a high number of ICMP packets being received. ... let it me known i also have a 2 network cards in the ... IRC server unless you have significant familiarity with your OS, ...
    (freebsd-stable)
  • Re: can I use keep-state for icmp rules?
    ... can I use keep-state for icmp rules? ... > the network from the destination of your outgoing message. ... > ipfwdoesn't know anything about TCP handshakes. ... > the impression that ipfwactually tracks the state of TCP ...
    (FreeBSD-Security)
  • alt.2600 FAQ Revision .014 (2/4)
    ... register struct tcphdr *tcph; ... IP protocol (TCP or UDP) ... greatly increases the time required to scan your network. ... Chrome Manipulate Traffic Signals by Remote Control ...
    (alt.2600)
  • alt.2600 FAQ Revision .014 (2/4)
    ... register struct tcphdr *tcph; ... IP protocol (TCP or UDP) ... greatly increases the time required to scan your network. ... Chrome Manipulate Traffic Signals by Remote Control ...
    (alt.2600)