PF "keep state" for ICMP
Alberto Alesina
aalesina at yahoo.com
Mon Nov 7 23:42:41 PST 2005
Hello,
I have a question about ICMP states while using the
"keep state" flags for PF rules.
Intf-A
A ----- B------ C
B is running PF on FreeBSD 5.4 and has a rule with
"keep state" for ICMP traffic in the "out" direction
on Intf-A. There is also a rule to block all traffic
in the "in" direction on Intf-A
Now, if a ping is initiated from host C to host A, a
state is created with the ICMP ID and source address
and destination address as key.
My question is - would *only* ICMP echo *replies* be
allowed back against that state? Or, would *any* ICMP
traffic with the corresponding ICMP ID, source address
and destination address be allowed?
If *any* ICMP traffic is allowed back, if I happen to
initiate ICMP echo *requests* from A to C (picking the
same ICMP ID as the one in the state created by the
ICMP echo requests from C to A), wouldn't that be a
case where you can bypass the PF firewall?
Thank you very much.
Alberto Alesina.
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
More information about the freebsd-pf
mailing list