Re: ipfw stateful and ICMP

Wed, 12 Mar 2014 00:06:23 -0700 

On 3/11/14, 1:05 AM, Dewayne Geraghty wrote:

On 11/03/2014 2:53 PM, Julian Elischer wrote:

It has annoyed me for some time that icmp packets refering ot an
ongoing session can not be matched by a dynamic rule that goversn that
session.

For example, if you have a dynamic rule for tcp 1.2.3.4 port
80 from 5.6.7.8 port 10000 then a returning icmp packet giving
"destination unreachable" and holding the appropriate header
in it's data segment should probably be allowed to go through
back to the originator.

Briefly looking at the code I see no sign of this and I haven't seen
any sign of it in action so I hope I'm not going to get a
"but it already does that" response.

My way of approaching it would be to change the dynamic rule code so that
it checks that the ICMP destination address matches the source address
of the packet fragment in the 'data' section, and then match the data
segment
packet header with the dynamic rules instead of the icmp packet itself.

I would also add a sysctl to disable this behaviour, because there is
always
someone who doesn't want any change you care to name.

The only way you can allow get icmp packets back to the originating
sender
at the moment is to just allow them through without any major filtering.
That leaves you open to a large attack window.

anyone have violent objections?

(I'm currently rewriting the firewall rules at $DAYJOB and I think I'd
like to have this,
but as we're on 8.0 I'll have to wait a while before I can use my own
patch :-)

Julian

_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"



Julian,
That's a good idea, and I appreciate the feedback opportunity.

May I suggest a sysctl to enable the behaviour, rather than one to
disable it.  For two reasons: so that existing ipfw sites don't find the
need to change or amend existing firewall rules (we typically open icmp
3 and 11);  and how do you envisage "ipfw show" will display this
compound behaviour?

I don't know that it need show anything special.
the display of dynamic rules might be changed to show something but I haven't thought too much about it yet. 



Regards, Dewayne.





_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Reply via email to