Re: IPFilter: Shouldn't this be let in [WITH PATCH]
This is a discussion on Re: IPFilter: Shouldn't this be let in [WITH PATCH] within the IPFilter forums, part of the System Security and Security Related category; On Wed, Nov 26, 2003 at 11:05:05AM +1100, Darren Reed wrote: > In some mail from Guido van ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-26-2003
|
|||
|
|||
Re: IPFilter: Shouldn't this be let in [WITH PATCH]
On Wed, Nov 26, 2003 at 11:05:05AM +1100, Darren Reed wrote:
> In some mail from Guido van Rooij, sie said: > > > > > Where I'm going with this is that it might be nice to have a choice of > > > using keep state with limitations on specific classes of "related" packets > > > passed implicitly. You've sort of got that in this case without the patch, > > > since you can always let in the ICMP explicitly as part of your ruleset. > > > Once it becomes implicit with state, there's no method for controlling it > > > in the current semantics. > > > > I do agree with that. The question is how to do this. Should this be a > > per-rule directive or a general one (e.g. block all icmp error > > towards an old SunOS box but let unreachable(couldnt fragment) in > > for all other hosts). > > In IP Filter 4.0 you can do: > > pass in proto tcp ... keep state (no-icmp-err) This is too simple. You want to specify e.g. that ICMP_UNREACH_NEEDFRAG is allowed through but not ICMP_UNREACH_PORT. See also Daniels mail. -Guido 
|
Linear Mode
