Re: can I use keep-state for icmp rules?

From: Crist J. Clark (cristjc@earthlink.net)
Date: 10/31/01


Date: Wed, 31 Oct 2001 13:14:34 -0800
From: "Crist J. Clark" <cristjc@earthlink.net>
To: xlr82xs@sdf.lonestar.org

On Thu, Nov 01, 2001 at 01:26:21AM +1000, David Trzcinski wrote:
[snip]

> i dont use keep-state for my tcp either, with
>
> ipfw add allow tcp from any to any out via <interface>
> ipfw add allow log tcp from any to any 80 in via <interface> setup
> ipfw add allow tcp from any to any in via <interface> connected
> ipfw add deny log tcp from any to any in via <interface>
>
> which, as far as i know should stop the problems mentioned with useing
> keepstate..
>
> if i'm wrong, please tell me :)

Doing a stateless packet filter for TCP has some problems. It is
trivial to scan for the topology of the network behind the firewall
for example. It is possible to fingerprint network stacks to some
extent through a stateless packet filter.

-- 
Crist J. Clark                           cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message