Re: can I use keep-state for icmp rules?

From: Krzysztof Zaraska (
Date: 10/31/01

Date: Wed, 31 Oct 2001 20:45:35 +0100 (CET)
From: Krzysztof Zaraska <>
To: Michael Scheidell <>

On Wed, 31 Oct 2001, Michael Scheidell wrote:


> So, is ipfilter MORE statefull? ie, will it check more carefully?
At least with TCP, yes.

> One reason I asked, while testing the ipf icmp rules.
> Step 1: ipfw add allow icmp from {thishost} to any out via {oif} keep-state
> Step 2: ping remote host
> (works)
> Step 3: log on to remote host and ping {thishost} back. I was able to ping
> it.
> Sorta scared me. (no additional ipfw rules)
See my previous mail on this topic. keep-state will allow back _any_ ICMP
from host you ping, so if you ping them, they may ping you back until
dynamic rule expires (note however, that _theoretically_ it may never
expire, since it will be constantly refreshed by your ping replies). In
order to prevent this from happening one should filter basing on ICMP
types. ICMP may be effectively filtered even in non-stateful manner. See
my previous post for a little more detailed discussion.


To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: Removing ping/icmp from a network
    ... A ping sweep isn't the only way to do network exploration. ... ICMP is a protocol, not a service. ... Security by design is always best, but hiding the presence of a device ...
  • RE: ICMP (Ping)
    ... You are correct about the kinder and gentler internet. ... network to deal with I might share your opinion. ... I believe you meant ICMP echo ... Subject: ICMP (Ping) ...
  • Re: Dropping ping at peak times
    ... an overview of all the monitoring at peak times, ... so ICMP is apparently not a useful ... As a general rule though blocking ping stinks. ... router doesn't help in the slightest. ...
  • Re: help with network problem
    ... I can browser the site using http in all the other computers. ... >While ping serves to test tcp/ip connectivity, ... ICMP messages, delivered in ... >> (Only that website so far). ...