From owner-freebsd-security Tue Jul 16 11:39:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E320537B405 for ; Tue, 16 Jul 2002 11:39:48 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4153043E58 for ; Tue, 16 Jul 2002 11:39:48 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc02.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020716183947.PCCH6023.sccrmhc02.attbi.com@blossom.cjclark.org>; Tue, 16 Jul 2002 18:39:47 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g6GIdkJK020750; Tue, 16 Jul 2002 11:39:46 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g6GIdjNq020749; Tue, 16 Jul 2002 11:39:45 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Tue, 16 Jul 2002 11:39:45 -0700 From: "Crist J. Clark" To: "Dmitry S. Rzhavin" Cc: security@FreeBSD.ORG Subject: Re: ipfw and keep-state Message-ID: <20020716183945.GA20381@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <3D32D849.E3D8F2BE@rt.ru> <3D32EEBD.E66100A1@rt.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3D32EEBD.E66100A1@rt.ru> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jul 15, 2002 at 07:48:13PM +0400, Dmitry S. Rzhavin wrote: > Dag-Erling Smorgrav wrote: > > > > "Dmitry S. Rzhavin" writes: > > > 10 pass tcp from any to ip2 in keep-state setup > > > ... nothing interesting here > > > 20 deny tcp from any to ip2 > > > > > > > > > Or, in other words, I want to pre-auth some packet with rile 10 to > > > check it later. Then, I decide to drop it. > > > But ipfw creates dynamic rule "inet <-> ip1" and passes this > > > session. I think this is not good. Why does ipfw works this way? > > > > That's what you asked it to do. Rule 10 basically says "if the packet > > is a tcp SYN packet destined for ip2, stop examining it, let it > > through > > nonono! Rule 10 says "let it _in_", not out! Or: > > -------------- > -------- |IPFW is here| > |packet|==[flows in]=>in_if---- out_if > -------- |packet|==>X | > -------------- > fly in is allowed ^^^ ^^^ packet dies here > > So, I expect (at least) dynamic rule to be "pass ip from inet to ip1 _in_". > Or, as the best solution, rule "in" creates dynamic candidate, and stateful > dynamic rule is created only if packet is allowed to go out. If packet dies > inside ipfw, rule dies too. > So, the question is: why this is bad? Why FreeBSD Team choosed to create > dynamic rule "in/out" for "in" static rule? Is it a bug, or a feature? For TCP and UDP packets, a 'keep-state' rule will create a dynamic rule that matches packets with the same set of IP-port pairs coming or going on any interface. Why is it done this way? That's how the original 'keep-state' hack was done. Off of the top of my head, I can't think of firewall software that doesn't work this way. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message