Site Navigation

Date:      Sat, 11 Nov 2006 21:32:55 +0100
From:      Alexander Leidinger <Alexander@Leidinger.net>
To:        "R. B. Riddick" <arne_woerner@yahoo.com>
Cc:        freebsd-security@freebsd.org, "Julian H. Stacey" <jhs@flat.berklix.net>
Subject:   Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to anyestablished
Message-ID:  <20061111213255.94jv54t544g4w8g4@webmail.leidinger.net>
In-Reply-To: <216597.35069.qm@web30315.mail.mud.yahoo.com>
References:  <216597.35069.qm@web30315.mail.mud.yahoo.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Quoting "R. B. Riddick" <arne_woerner@yahoo.com> (from Sat, 11 Nov =20
2006 11:00:49 -0800 (PST)):

> --- "Julian H. Stacey" <jhs@flat.berklix.net> wrote:
>> I tried adding
>> =09${fwcmd} add pass tcp from any to any established
>> from src/etc/rc.firewall case - simple. Which solved it.
>> But I was scared, not undertstand what the established bit did, &
>> how easily an attacker might fake something, etc.
>> I found adding these tighter rules instead worked for me
>> =09${fwcmd} tcp from any http to me established in via tun0
>> =09${fwcmd} tcp from me to any http established out via tun0
>> Should I still be worrying about =09established ?
>>
> Hmm... I personally use "check-states" and "keep-state", so that it is not
> enough to fake the "established" flags, but the attacker had to know =20
>  the ports,
> the IPs, control over routing in pub inet(?) and some little secrets =20
>  in the TCP
> headers (I dont know exactly how it works):
>  add check-state
>  add pass     icmp from any to any        keep-state out xmit tun0
>  add pass     tcp  from any to any  setup keep-state out xmit tun0
>  add pass     udp  from any to any domain keep-state out xmit tun0

These are the stats of the first 7 rules on my DSL line afer one day:
00100 6423992  376898110 allow ip from any to any via lo0
00200       0          0 deny ip from any to 127.0.0.0/8
00300       0          0 deny ip from 127.0.0.0/8 to any
20000       0          0 check-state
30000   10013    1047483 deny tcp from any to any established
30100     226      45640 deny ip from any to any not verrevpath in
30200       7        280 deny tcp from any to any tcpoptions !mss setup

Another nice rule (stats after one day):
30800 3149862  117471324 deny ip from any to =20
0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 via tun0

Bye,
Alexander.

--=20
Committees have become so important nowadays that subcommittees have to
be appointed to do the work.

http://www.Leidinger.net    Alexander @ Leidinger.net: PGP ID =3D B0063FE7
http://www.FreeBSD.org       netchild @ FreeBSD.org  : PGP ID =3D 72077137

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061111213255.94jv54t544g4w8g4>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact