Subject: Re: AW: IPF question
To: =?US-ASCII?Q?Stefan_Hulbrock?= <firstname.lastname@example.org>
From: Darren Reed <email@example.com>
Date: 07/19/2001 19:38:39
In some email I received from Stefan Hulbrock, sie wrote:
> > > One question about IPF: If I have a tcp keep state rule, I
> > understood that
> > > any valid ICMP traffic about the TCP connexion would be allowed without
> > > rule checking.
> > >
> > > Does that means that someone able to snoop the TCP connexion
> > would be able
> > > to forge an ICMP redirect packet, and that there is now way to
> > stop this?
> > [...]
> > Correct. This is nearly never useful because the "next hop" that is the
> > redirected gateway must be on the local LAN.
> may be a problem if someone places a "bad" router in the LAN that sends
> packets elsewhere...
> Hmmmm... but it shouldn't be to complicated in IPF to check for the ICMP
> types even in established connections.
> In my opinion "good ICMPs" (tm ;-) that should be allowed if a TCP conn is
> established are
> the dst-unreachable's, source-quench and ttl-exceeded (hope I forgot
> I can think of no reason where a conn is established to a server and it
> sends a redirect to the source (this should normally only happen in a local
> LAN), or any other ICMP.
> This behaviour could be hard coded.
It is already:
* If it's not an error type, then return
if ((type != ICMP_UNREACH) && (type != ICMP_SOURCEQUENCH) &&
(type != ICMP_REDIRECT) && (type != ICMP_TIMXCEED) &&
(type != ICMP_PARAMPROB))