Date: Sat, 11 Nov 2006 21:32:55 +0100 From: Alexander Leidinger <Alexander@Leidinger.net> To: "R. B. Riddick" <arne_woerner@yahoo.com> Cc: freebsd-security@freebsd.org, "Julian H. Stacey" <jhs@flat.berklix.net> Subject: Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to anyestablished Message-ID: <20061111213255.94jv54t544g4w8g4@webmail.leidinger.net> In-Reply-To: <216597.35069.qm@web30315.mail.mud.yahoo.com> References: <216597.35069.qm@web30315.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting "R. B. Riddick" <arne_woerner@yahoo.com> (from Sat, 11 Nov =20 2006 11:00:49 -0800 (PST)): > --- "Julian H. Stacey" <jhs@flat.berklix.net> wrote: >> I tried adding >> =09${fwcmd} add pass tcp from any to any established >> from src/etc/rc.firewall case - simple. Which solved it. >> But I was scared, not undertstand what the established bit did, & >> how easily an attacker might fake something, etc. >> I found adding these tighter rules instead worked for me >> =09${fwcmd} tcp from any http to me established in via tun0 >> =09${fwcmd} tcp from me to any http established out via tun0 >> Should I still be worrying about =09established ? >> > Hmm... I personally use "check-states" and "keep-state", so that it is not > enough to fake the "established" flags, but the attacker had to know =20 > the ports, > the IPs, control over routing in pub inet(?) and some little secrets =20 > in the TCP > headers (I dont know exactly how it works): > add check-state > add pass icmp from any to any keep-state out xmit tun0 > add pass tcp from any to any setup keep-state out xmit tun0 > add pass udp from any to any domain keep-state out xmit tun0 These are the stats of the first 7 rules on my DSL line afer one day: 00100 6423992 376898110 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 20000 0 0 check-state 30000 10013 1047483 deny tcp from any to any established 30100 226 45640 deny ip from any to any not verrevpath in 30200 7 280 deny tcp from any to any tcpoptions !mss setup Another nice rule (stats after one day): 30800 3149862 117471324 deny ip from any to =20 0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 via tun0 Bye, Alexander. --=20 Committees have become so important nowadays that subcommittees have to be appointed to do the work. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061111213255.94jv54t544g4w8g4>