Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 30 Jul 2001 03:53:43 -0700 (PDT)
From:      David Newall <david.newall@tellurian.com.au>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/29323: ipfw's "established" option incorrectly passes packets with ECN-Echo flag set
Message-ID:  <200107301053.f6UArhD50612@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         29323
>Category:       kern
>Synopsis:       ipfw's "established" option incorrectly passes packets with ECN-Echo flag set
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 30 04:00:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     David Newall
>Release:        4.2-RELEASE
>Organization:
Tellurian Pty Ltd
>Environment:
FreeBSD custfw.tellurian.com.au 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Mon Nov 20 13:02:55 GMT 2000     jkh@bento.FreeBSD.org:/usr/src/sys/compile/GENERIC  i386
>Description:
Ipfw rules that specify "established" TCP packets incorrectly match packets
with the ECN-Echo flag set (see RFC 2481).  This type of rule is sometimes
used to permit unrestricted "outbound" and restricted "inbound" connections.
Intruders can exploit this fault to penetrate a firewall that is so configured.
>How-To-Repeat:
Create an ipfw incorporating the following general rules:
   ...
   accept tcp from TARGET to SECURE established
   deny tcp from TARGET to SECURE
   ...
then attempt to connect from TARGET to SECURE having set tcp flag 0x40.
>Fix:
There are a number of good ways to fix the problem.
1. Modify ip_fw.h, ip_fw.c and ipfw.c so that IP_FW_TCPF_ESTAB is not
    stored in fw_tcpf (best solution);
2. Modify ip_fw.c so that rules with IP_FW_TCPF_ESTAB set return 0 if
    neither the RST nor ACK flags are set (acceptable, but will need rework
    when the number of allocated flags exceeds 8); or
3. Modify ipfw.c to set fw_tcpnf to -1 (work around).

An acceptable work-around is to modify ipfw.c, appending
  rule.fw_tcpnf = 1;
after line 1896, which reads
  rule.fw_tcpf  |= IP_FW_TCPF_ESTAB;
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107301053.f6UArhD50612>