From owner-freebsd-security Thu Sep 12 14:50:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D696937B400 for ; Thu, 12 Sep 2002 14:50:24 -0700 (PDT) Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8857D43E6A for ; Thu, 12 Sep 2002 14:50:24 -0700 (PDT) (envelope-from jason@shalott.net) Received: (qmail 62806 invoked by uid 1000); 12 Sep 2002 21:50:19 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 12 Sep 2002 21:50:19 -0000 Date: Thu, 12 Sep 2002 14:50:18 -0700 (PDT) From: Jason Stone X-X-Sender: To: Subject: Re: ipfw, natd, and keep-state - strange behavior? In-Reply-To: Message-ID: <20020912144554.L3276-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > but wont that actually result in an overly permissive firewall? e.g., if > > you want to allow outgoing http connections, you have to allow packets > > from > > any external server port 80 to a whole bunch of tcp ports on internal ips. > > Nope. While I prefer to use a proxy to centralize web access to the > outside via my interior firewall, you can also do something like: > > add pass tcp from $INET $HIPORTS to any 80,443 > add pass tcp from any 80,433 to $INET $HIPORTS established > > Without performing the TCP 3-way startup (starting with a packet with SYN= > 1 and ACK=0), the TCP sequence numbers won't match and the client being > scanned from some random external IP will simply drop the invalid > connection attempt. Yes, unless of course the client has a broken tcp stack (think teardrop). Having the firewall permit such packets and counting on the client to correctly discard them is probably a bad idea - after all, if you trust the clients to run a properly configured and non-broken OS, why have a firewall at all? Packets that the client is just going to discard anyway should certainly be discarded by the firewall, and this is exactly what the keep-state/check-state rules do for you. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE9gQwbswXMWWtptckRAkdHAKDgeWgGuPUEVqfsydsRRCOQ4Y2OZgCbBijU d/+GbAPNtjYpXh9XMbXkR2w= =qcl5 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message