Date: Mon, 30 Jul 2001 03:53:43 -0700 (PDT) From: David Newall <david.newall@tellurian.com.au> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/29323: ipfw's "established" option incorrectly passes packets with ECN-Echo flag set Message-ID: <200107301053.f6UArhD50612@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 29323 >Category: kern >Synopsis: ipfw's "established" option incorrectly passes packets with ECN-Echo flag set >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jul 30 04:00:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: David Newall >Release: 4.2-RELEASE >Organization: Tellurian Pty Ltd >Environment: FreeBSD custfw.tellurian.com.au 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Mon Nov 20 13:02:55 GMT 2000 jkh@bento.FreeBSD.org:/usr/src/sys/compile/GENERIC i386 >Description: Ipfw rules that specify "established" TCP packets incorrectly match packets with the ECN-Echo flag set (see RFC 2481). This type of rule is sometimes used to permit unrestricted "outbound" and restricted "inbound" connections. Intruders can exploit this fault to penetrate a firewall that is so configured. >How-To-Repeat: Create an ipfw incorporating the following general rules: ... accept tcp from TARGET to SECURE established deny tcp from TARGET to SECURE ... then attempt to connect from TARGET to SECURE having set tcp flag 0x40. >Fix: There are a number of good ways to fix the problem. 1. Modify ip_fw.h, ip_fw.c and ipfw.c so that IP_FW_TCPF_ESTAB is not stored in fw_tcpf (best solution); 2. Modify ip_fw.c so that rules with IP_FW_TCPF_ESTAB set return 0 if neither the RST nor ACK flags are set (acceptable, but will need rework when the number of allocated flags exceeds 8); or 3. Modify ipfw.c to set fw_tcpnf to -1 (work around). An acceptable work-around is to modify ipfw.c, appending rule.fw_tcpnf = 1; after line 1896, which reads rule.fw_tcpf |= IP_FW_TCPF_ESTAB; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107301053.f6UArhD50612>