I read on the different posts that with OPNSense it is actually default behaviour that when B is authorized to A, A can reply to B, and I could test it works well.
However, my issue is the following when one does step by step :1. first, A pings B : there is no answer - correct2. second, B pings A : it works - correct3. but now, if A pings B, A gets replies - NOT CORRECTActually what happens is obviously the following :- step 1 : there is no rule to accept traffic from A to B so there is no reply- step 2 : there is a rule to accept traffic from B to A, so as default OPNSense tracks the state of the connexion and replies from A are accepted back to B- step 3 : when, at that point, A initiates traffic to B, OPNSense uses the previous state of the connexion at step 2 and it accepts the traffic !
So, in case there is regular communication from B to A, an attacker could suddenly usurpate the IP address of A to attack B through the firewall.How can one definitely block traffic from A to B that is initiated by A ?
However, my issue is the following when one does step by step :1. first, A pings B : there is no answer - correct2. second, B pings A : it works - correct3. but now, if A pings B, A gets replies - NOT CORRECT
With ICMP, this is different. There is no port, only an ICMP subtype. Other than that, there are only (src_ip, dst_ip). Thus, you can only decide based on "soft" factors ("related"), like if within the last few seconds, you saw ICMP traffic between both parties that might explain why another ICMP packet is seen (and being passed).
There is a sequence number, correct, but since you can "smoke ping" and there is no foreseeable sequence in which packets get transmitted, you cannot decide based on the sequence number (or, in other words: even if you used something akin to a "catch range", it would be just as good as an abitrary time range).