From owner-freebsd-security@FreeBSD.ORG  Sat Nov 11 20:33:02 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BFC0116A403
	for <freebsd-security@freebsd.org>;
	Sat, 11 Nov 2006 20:33:02 +0000 (UTC)
	(envelope-from alexander@leidinger.net)
Received: from redbull.bpaserver.net (redbullneu.bpaserver.net
	[213.198.78.217])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2996A43D53
	for <freebsd-security@freebsd.org>;
	Sat, 11 Nov 2006 20:33:01 +0000 (GMT)
	(envelope-from alexander@leidinger.net)
Received: from outgoing.leidinger.net (p54A5DD98.dip.t-dialin.net
	[84.165.221.152])
	by redbull.bpaserver.net (Postfix) with ESMTP id 418972E1AD;
	Sat, 11 Nov 2006 21:32:57 +0100 (CET)
Received: from webmail.leidinger.net (webmail.Leidinger.net [192.168.1.102])
	by outgoing.leidinger.net (Postfix) with ESMTP id AB8EB5B4C35;
	Sat, 11 Nov 2006 21:32:55 +0100 (CET)
Received: (from www@localhost)
	by webmail.leidinger.net (8.13.8/8.13.8/Submit) id kABKWtqr055192;
	Sat, 11 Nov 2006 21:32:55 +0100 (CET)
	(envelope-from Alexander@Leidinger.net)
Received: from proxy.Leidinger.net (proxy.Leidinger.net [192.168.1.103]) by
	webmail.leidinger.net (Horde MIME library) with HTTP; Sat, 11 Nov 2006
	21:32:55 +0100
Message-ID: <20061111213255.94jv54t544g4w8g4@webmail.leidinger.net>
X-Priority: 3 (Normal)
Date: Sat, 11 Nov 2006 21:32:55 +0100
From: Alexander Leidinger <Alexander@Leidinger.net>
To: "R. B. Riddick" <arne_woerner@yahoo.com>
References: <216597.35069.qm@web30315.mail.mud.yahoo.com>
In-Reply-To: <216597.35069.qm@web30315.mail.mud.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset=UTF-8;
	DelSp="Yes";
	format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Internet Messaging Program (IMP) H3 (4.1.3) / FreeBSD-7.0
X-BPAnet-MailScanner-Information: Please contact the ISP for more information
X-BPAnet-MailScanner: Found to be clean
X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
	score=-2.386, required 6, autolearn=not spam, BAYES_00 -2.60,
	DK_POLICY_SIGNSOME 0.00, FORGED_RCVD_HELO 0.14, TW_EV 0.08)
X-BPAnet-MailScanner-From: alexander@leidinger.net
X-Spam-Status: No
X-Mailman-Approved-At: Sun, 12 Nov 2006 05:20:22 +0000
Cc: freebsd-security@freebsd.org, "Julian H. Stacey" <jhs@flat.berklix.net>
Subject: Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to
	anyestablished
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Nov 2006 20:33:02 -0000

Quoting "R. B. Riddick" <arne_woerner@yahoo.com> (from Sat, 11 Nov =20
2006 11:00:49 -0800 (PST)):

> --- "Julian H. Stacey" <jhs@flat.berklix.net> wrote:
>> I tried adding
>> =09${fwcmd} add pass tcp from any to any established
>> from src/etc/rc.firewall case - simple. Which solved it.
>> But I was scared, not undertstand what the established bit did, &
>> how easily an attacker might fake something, etc.
>> I found adding these tighter rules instead worked for me
>> =09${fwcmd} tcp from any http to me established in via tun0
>> =09${fwcmd} tcp from me to any http established out via tun0
>> Should I still be worrying about =09established ?
>>
> Hmm... I personally use "check-states" and "keep-state", so that it is not
> enough to fake the "established" flags, but the attacker had to know =20
>  the ports,
> the IPs, control over routing in pub inet(?) and some little secrets =20
>  in the TCP
> headers (I dont know exactly how it works):
>  add check-state
>  add pass     icmp from any to any        keep-state out xmit tun0
>  add pass     tcp  from any to any  setup keep-state out xmit tun0
>  add pass     udp  from any to any domain keep-state out xmit tun0

These are the stats of the first 7 rules on my DSL line afer one day:
00100 6423992  376898110 allow ip from any to any via lo0
00200       0          0 deny ip from any to 127.0.0.0/8
00300       0          0 deny ip from 127.0.0.0/8 to any
20000       0          0 check-state
30000   10013    1047483 deny tcp from any to any established
30100     226      45640 deny ip from any to any not verrevpath in
30200       7        280 deny tcp from any to any tcpoptions !mss setup

Another nice rule (stats after one day):
30800 3149862  117471324 deny ip from any to =20
0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 via tun0

Bye,
Alexander.

--=20
Committees have become so important nowadays that subcommittees have to
be appointed to do the work.

http://www.Leidinger.net    Alexander @ Leidinger.net: PGP ID =3D B0063FE7
http://www.FreeBSD.org       netchild @ FreeBSD.org  : PGP ID =3D 72077137