Re: can I use keep-state for icmp rules?

From: Mario de Oliveira Lobo Neto (Mlobo@ear.com.br)
Date: 11/01/01


From: "Mario de Oliveira Lobo Neto" <Mlobo@ear.com.br>
To: cjclark@alum.mit.edu
Date: Thu, 1 Nov 2001 06:35:16 -0200


> On Thu, Nov 01, 2001 at 01:26:21AM +1000, David Trzcinski wrote:
> [snip]
>
> > i dont use keep-state for my tcp either, with
> >
> > ipfw add allow tcp from any to any out via <interface>
> > ipfw add allow log tcp from any to any 80 in via <interface> setup
> > ipfw add allow tcp from any to any in via <interface> connected
> > ipfw add deny log tcp from any to any in via <interface>
> >
> > which, as far as i know should stop the problems mentioned with useing
> > keepstate..
> >
> > if i'm wrong, please tell me :)
>
> Doing a stateless packet filter for TCP has some problems. It is
> trivial to scan for the topology of the network behind the firewall
> for example. It is possible to fingerprint network stacks to some
> extent through a stateless packet filter.
> --
> Crist J. Clark cjclark@alum.mit.edu

Forgive me if this is a stupid question but could you give a hint (or
directions to learn) when and in which type/port ipfw rules shoud
keepstate be used ?

Thanks
-
*** Mario Lobo
*** Head of Computer Department
*** American School of Recife

 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message