ipfw stateful and ICMP

Julian Elischer julian at freebsd.org
Wed Mar 12 07:05:53 UTC 2014 

On 3/11/14, 1:05 AM, Dewayne Geraghty wrote:
> On 11/03/2014 2:53 PM, Julian Elischer wrote:
>> It has annoyed me for some time that icmp packets refering ot an
>> ongoing session can not be matched by a dynamic rule that goversn that
>> session.
>>
>> For example, if you have a dynamic rule for tcp 1.2.3.4 port
>> 80 from 5.6.7.8 port 10000 then a returning icmp packet giving
>> "destination unreachable" and holding the appropriate header
>> in it's data segment should probably be allowed to go through
>> back to the originator.
>>
>> Briefly looking at the code I see no sign of this and I haven't seen
>> any sign of it in action so I hope I'm not going to get a
>> "but it already does that" response.
>>
>> My way of approaching it would be to change the dynamic rule code so that
>> it checks that the ICMP destination address matches the source address
>> of the packet fragment in the 'data' section, and then match the data
>> segment
>> packet header with the dynamic rules instead of the icmp packet itself.
>>
>> I would also add a sysctl to disable this behaviour, because there is
>> always
>> someone who doesn't want any change you care to name.
>>
>> The only way you can allow get icmp packets back to the originating
>> sender
>> at the moment is to just allow them through without any major filtering.
>> That leaves you open to a large attack window.
>>
>> anyone have violent objections?
>>
>> (I'm currently rewriting the firewall rules at $DAYJOB and I think I'd
>> like to have this,
>> but as we're on 8.0 I'll have to wait a while before I can use my own
>> patch :-)
>>
>> Julian
>>
>> _______________________________________________
>> freebsd-ipfw at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>>
>>
> Julian,
> That's a good idea, and I appreciate the feedback opportunity.
>
> May I suggest a sysctl to enable the behaviour, rather than one to
> disable it.  For two reasons: so that existing ipfw sites don't find the
> need to change or amend existing firewall rules (we typically open icmp
> 3 and 11);  and how do you envisage "ipfw show" will display this
> compound behaviour?
I don't know that it need show anything special.
the display of dynamic rules might be changed to show something but I 
haven't thought too much about it yet.

>
> Regards, Dewayne.
>
>
>

More information about the freebsd-ipfw mailing list