From owner-freebsd-security  Thu Sep 12 19:53: 0 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6F8C537B400
	for <freebsd-security@FreeBSD.ORG>; Thu, 12 Sep 2002 19:52:57 -0700 (PDT)
Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6EFDD43E65
	for <freebsd-security@FreeBSD.ORG>; Thu, 12 Sep 2002 19:52:56 -0700 (PDT)
	(envelope-from avalon@caligula.anu.edu.au)
Received: (from avalon@localhost)
	by caligula.anu.edu.au (8.9.3/8.9.3) id MAA24453;
	Fri, 13 Sep 2002 12:52:50 +1000 (EST)
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <200209130252.MAA24453@caligula.anu.edu.au>
Subject: Re: ipfw, natd, and keep-state - strange behavior?
To: jeff-ml@mountin.net (Jeffrey J. Mountin)
Date: Fri, 13 Sep 2002 12:52:50 +1000 (Australia/ACT)
Cc: jason-fbsd-security@shalott.net (Jason Stone),
	freebsd-security@FreeBSD.ORG
In-Reply-To: <4.3.2.20020912211509.02e4cb20@207.227.119.2> from "Jeffrey J. Mountin" at Sep 12, 2002 09:36:27 PM
X-Mailer: ELM [version 2.5 PL1]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

In some mail from Jeffrey J. Mountin, sie said:
[...]
> >We are not presuming anything of the kind - obviously, any packets that
> >you mean to deny you set up deny rules for.  We are talking about
> >a situation where you want to allow a particular outbound service.  With
> >your ruleset, you are allowing packets back into the internal network that
> >should never be allowed in there.  With a ruleset that involves
> >keep/check-state, you have the same semantics in terms of what you mean to
> >allow, but you deny more packets that shouldn't be allowed.  And if you're
> >only setting keep-state on the rules allowing the outbound setup packets,
> >you probably don't have to worry about DoS.
> 
> RIght.  One can DOS a stateful firewall if any inbound connections are 
> allowed.  This is something to consider when making the choice.  Also if 
> you alter the timeouts, which should be just long enough for normal 
> operation with some extra for sanity's sake.  Once the limit of stateful 
> rules is reached there should be some sort of clean-up to reduce the impact 
> on legitimate connections.  Not sure if IPFW or IPFilter do this, but 
> Cisco's PIX handles this by killing off embryonic connections (ie SYN flood).

IPFilter does go looking for "low hanging fruit" to get rid of when it
notices that the limit of stateful sessions has been reached.

Darren

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message