PF "keep state" for ICMP
Daniel Hartmeier
daniel at benzedrine.cx
Tue Nov 8 01:59:06 PST 2005
On Mon, Nov 07, 2005 at 11:42:36PM -0800, Alberto Alesina wrote:
> My question is - would *only* ICMP echo *replies* be
> allowed back against that state? Or, would *any* ICMP
> traffic with the corresponding ICMP ID, source address
> and destination address be allowed?
The latter.
> If *any* ICMP traffic is allowed back, if I happen to
> initiate ICMP echo *requests* from A to C (picking the
> same ICMP ID as the one in the state created by the
> ICMP echo requests from C to A), wouldn't that be a
> case where you can bypass the PF firewall?
If you want to put it that way, yes.
Assuming you're a malicious A, what do you gain, though? You're already
getting pinged by C, so you know it's there. You could already deliver
an arbitrary amount of reply packets. Fingerprinting sillyness?
Daniel
More information about the freebsd-pf
mailing list