Re: can I use keep-state for icmp rules?

From: Mario de Oliveira Lobo Neto (
Date: 11/01/01

From: "Mario de Oliveira Lobo Neto" <>
Date: Thu, 1 Nov 2001 06:35:16 -0200

> On Thu, Nov 01, 2001 at 01:26:21AM +1000, David Trzcinski wrote:
> [snip]
> > i dont use keep-state for my tcp either, with
> >
> > ipfw add allow tcp from any to any out via <interface>
> > ipfw add allow log tcp from any to any 80 in via <interface> setup
> > ipfw add allow tcp from any to any in via <interface> connected
> > ipfw add deny log tcp from any to any in via <interface>
> >
> > which, as far as i know should stop the problems mentioned with useing
> > keepstate..
> >
> > if i'm wrong, please tell me :)
> Doing a stateless packet filter for TCP has some problems. It is
> trivial to scan for the topology of the network behind the firewall
> for example. It is possible to fingerprint network stacks to some
> extent through a stateless packet filter.
> --
> Crist J. Clark

Forgive me if this is a stupid question but could you give a hint (or
directions to learn) when and in which type/port ipfw rules shoud
keepstate be used ?

*** Mario Lobo
*** Head of Computer Department
*** American School of Recife


To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message