Re: can I use keep-state for icmp rules?

From: Mario de Oliveira Lobo Neto (Mlobo@ear.com.br)
Date: 11/01/01 

From: "Mario de Oliveira Lobo Neto" <Mlobo@ear.com.br>
To: cjclark@alum.mit.edu
Date: Thu, 1 Nov 2001 06:35:16 -0200

> On Thu, Nov 01, 2001 at 01:26:21AM +1000, David Trzcinski wrote:
> [snip]
>
> > i dont use keep-state for my tcp either, with
> >
> > ipfw add allow tcp from any to any out via <interface>
> > ipfw add allow log tcp from any to any 80 in via <interface> setup
> > ipfw add allow tcp from any to any in via <interface> connected
> > ipfw add deny log tcp from any to any in via <interface>
> >
> > which, as far as i know should stop the problems mentioned with useing
> > keepstate..
> >
> > if i'm wrong, please tell me :)
>
> Doing a stateless packet filter for TCP has some problems. It is
> trivial to scan for the topology of the network behind the firewall
> for example. It is possible to fingerprint network stacks to some
> extent through a stateless packet filter.
> --
> Crist J. Clark cjclark@alum.mit.edu

Forgive me if this is a stupid question but could you give a hint (or
directions to learn) when and in which type/port ipfw rules shoud
keepstate be used ?

Thanks
-
*** Mario Lobo
*** Head of Computer Department
*** American School of Recife

 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: can I use keep-state for icmp rules?
    ... >> Doing a stateless packet filter for TCP has some problems. ... > directions to learn) when and in which type/port ipfw rules shoud ... ipfw add pass tcp from $to any out via $keep-state ...
    (FreeBSD-Security)
  • Re: Using IPFW with dynamic IP
    ... i would recomend useing /etc/ppp/ppp.linkup with the MYADDR ... allow tcp from any to MYADDR in via INTERFACE established ... ipfw add 20 allow tcp from any to any in via tun0 established ...
    (FreeBSD-Security)