Re: can I use keep-state for icmp rules?

From: Antonio Carlos Pina (apina@infolink.com.br)
Date: 10/31/01 

From: "Antonio Carlos Pina" <apina@infolink.com.br>
To: <freebsd-security@freebsd.org>
Date: Wed, 31 Oct 2001 13:01:23 -0200

Try again:

ipfw check-state
ipfw add allow icmp from {thishost} to any out via {oif} keep-state
ipfw add deny icmp from any to any

If your firewall is open by default, all packets will go thru. You have to
got it closed by default or explicit deny the packets you don't want, as
seen above.

You should only ping the host back while the dynamic rule exists.

Regards,
Antonio Carlos Pina
Diretor de Tecnologia (CTO)
INFOLINK Internet
http://www.infolink.com.br

----- Original Message -----
From: "Michael Scheidell" <scheidell@fdma.com>
To: <freebsd-security@freebsd.org>
Sent: Wednesday, October 31, 2001 11:24 AM
Subject: Re: can I use keep-state for icmp rules?

> ----- Original Message -----
> From: "Crist J. Clark" <cristjc@earthlink.net>
> To: "Michael Scheidell" <scheidell@fdma.com>
> Cc: <freebsd-security@freebsd.org>
> Sent: Tuesday, October 30, 2001 7:42 PM
> Subject: Re: can I use keep-state for icmp rules?
>
>
> > On Tue, Oct 30, 2001 at 07:39:09AM -0500, Michael Scheidell wrote:
> > > You mean if I send email to your system, you can immediatly connect to
> my
> > > internal tcp ports that might not normally have external access
> available?
> >
> > No. If you send out a TCP packet to my system that matches your
> > 'keep-state' rule,
> >
> > TCP
> > src_ip.src_port ----> dst_ip.dst_port
> >
> > I can send _any_ TCP packet back,
> >
> > TCP
> > src_ip.src_port <---- dst_ip.dst_port
> >
> > And it will pass provided the source and destination IP and ports all
> > line up. ipfw(8) does not consider the TCP flags, sequence number,
>
>
> So, is ipfilter MORE statefull? ie, will it check more carefully?
> One reason I asked, while testing the ipf icmp rules.
>
> Step 1: ipfw add allow icmp from {thishost} to any out via {oif}
keep-state
> Step 2: ping remote host
> (works)
> Step 3: log on to remote host and ping {thishost} back. I was able to
ping
> it.
> Sorta scared me. (no additional ipfw rules)
>
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: IPF, NAT or NIC
    ... As for the ping. ... I am generally dead against blocking any type of ICMP. ... In IPFW, ...
    (freebsd-questions)
  • RE: icmp problems
    ... ipfw add allow icmp from to ... internet> to any ... >i want to ping from another station i have to stop ...
    (freebsd-questions)
  • Re: can I use keep-state for icmp rules?
    ... this kinda makes me wonder why people use keep-state:P ... ipfw add allow icmp from any to any out via <interface> icmptype 8 ...
    (FreeBSD-Security)
  • Re: ipfw logging
    ... Ipfw logging still not working. ... 00200 allow tcp from any to me dst-port 22,3128,10000 setup keep-state ... 00300 allow icmp from any to me icmptypes 8 keep-state ...
    (comp.unix.bsd.freebsd.misc)
  • RE: ipfw: question about keep-state on icmp
    ... I think if you read closely you will find out the keep-state option ... does not work on the icmp protocol because icmp is stateless ... allow icmp from any to me icmptype 0 in via xl0 ... this is a fragment of my ipfw-config which should allow me to ping ...
    (freebsd-questions)