Hi!

One question about IPF: If I have a tcp keep state rule, I understood that
any valid ICMP traffic about the TCP connexion would be allowed without
rule checking.

Does that means that someone able to snoop the TCP connexion would be able
to forge an ICMP redirect packet, and that there is now way to stop this?

Example:
ex0 inet 10.0.0.1 netmask 255.255.255.0
ne2 inet 192.168.3.15 netmask 255.255.255.0

block in on ne2 from any to any
block out on ne2 from any to any
pass out on ne2 proto tcp from 192.168.3.15/32 to any keep state
pass out on ne2 proto tcp from 10.0.0.0/24 to any keep state

I sit on a machine on the ex0 side: say 10.0.0.2, and I start a POP session
to 192.168.18.5. Someone is snooping on the 192.168.3 network, and it
forges a ICMP redirect packet that seems to come from 192.168.18.5. The
packet has 10.0.0.2 for destination. As I understood, the keep state rule
on the firewall will let this packet pass without any rule checking.

Is that right? If it is, is there any way of blocking this kind of ICMP
redirect packets?

-- 
Emmanuel Dreyfus                             Emmanuel.Dreyfusespci.fr
Cette signature vous est fournie telle quelle, sans aucune garantie de 
fonctionnement. En la lisant, vous acceptez les préjudices matériels, 
physiques, et moraux qu'elle pourrait causer.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]