Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 12 Sep 2002 13:00:30 -0400
From:      Chuck Swiger <cswiger@mac.com>
To:        freebsd-security@FreeBSD.ORG
Subject:   Re: ipfw, natd, and keep-state - strange behavior?
Message-ID:  <24EBAED8-C671-11D6-90D4-000A27D85A7E@mac.com>
In-Reply-To: <3D80D4A8.5040106@teamlog.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thursday, September 12, 2002, at 01:53  PM, Pierre-Olivier Fur wrote:
> I agree dfolkins stateful packet filtering is really cool :) and having 
> stateful and stateless enable at the same time like David is non usefull.
>  I have nothing against ipfw cause it's FreeBSD made, but if you really 
> want to use statefull packet filtering at its best I recommend you to use 
> a native statefull packet filter.

Let me note that the whole intent of dynamic filtering is to permit return 
connections only in response to internal requests, and it presumes that 
such connections are somehow "safer".  I'm not so confident about that 
assumption as some people seem to be.

Frankly, I'd prefer to use static rules with aggressive ingress *and* 
egress filtering, which also avoids the DoS potential involved with 
overflowing the number of dynamic connections permitted by a given system,
  thus causing the stateful firewall to lose track of older legitimate 
connections.  (*)

Excluding TCP sequence-# based attacks, a static rule forbidding new 
external connections (ie, with the SYN bit set and ACK clear) to any but 
explicitly permitted services gives you about the same level of security 
without the overhead of dynamic firewall rules.  YMMV, but in practice it 
seems to be fairly hard to perform a man-in-the-middle attack when you can'
t see any of the internal traffic, source routing is blocked, and internal 
addresses aren't permitted inbound (ie, anti-spoofing).

Besides, most of the servers I deal with support RFC-1918 sequence # 
generation.

-Chuck

PS: If you're using NAT, of course, you're already using stateful 
connections.

        Chuck Swiger | chuck@codefab.com | All your packets are belong to 
us.
        
-------------+-------------------+-----------------------------------
        "The human race's favorite method for being in control of the facts
         is to ignore them."  -Celia Green


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?24EBAED8-C671-11D6-90D4-000A27D85A7E>