From owner-freebsd-security  Sat Sep 14 15: 9:16 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 346E137B400
	for <freebsd-security@FreeBSD.ORG>; Sat, 14 Sep 2002 15:09:12 -0700 (PDT)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 073E543E4A
	for <freebsd-security@FreeBSD.ORG>; Sat, 14 Sep 2002 15:09:11 -0700 (PDT)
	(envelope-from marka@drugs.dv.isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1])
	by drugs.dv.isc.org (8.12.5/8.12.5) with ESMTP id g8EM92B5043544;
	Sun, 15 Sep 2002 08:09:03 +1000 (EST)
	(envelope-from marka@drugs.dv.isc.org)
Message-Id: <200209142209.g8EM92B5043544@drugs.dv.isc.org>
To: Wincent Colaiuta <win@wincent.org>
Cc: Mark_Andrews@isc.org,
	Jason Stone <jason-fbsd-security@shalott.net>,
	freebsd-security@FreeBSD.ORG
From: Mark.Andrews@isc.org
Subject: Re: ipfw, natd, and keep-state - strange behavior? 
In-reply-to: Your message of "Sat, 14 Sep 2002 20:45:59 +0930."
             <58D716D2-C7D3-11D6-B5B5-003065C60B4C@wincent.org> 
Date: Sun, 15 Sep 2002 08:09:02 +1000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


> 
> El viernes, 13 septiembre, 2002, a las 09:46 AM, Mark.Andrews@isc.org 
> escribió:
> 
> >> We're replacing:
> >>
> >>     allow tcp from $INET to any 22 setup
> >>     allow tcp from any 22 to $INET established
> >>
> >> with
> >>
> >>     check-state
> >>     allow tcp from $INET to any 22 setup keep-state
> >>
> >>
> >>  -Jason
> > 	
> > 	Note: keep-state works well with protocols that are chatty.
> > 	'ssh' is not chatty.  You need to adjust the timeouts to
> > 	support ssh otherwise the rules will timeout.
> >
> > 	Mark
> 
> And when you do that you increase your susceptibility to a flood DOS. 
> So it's all a balancing act and there's no such thing as an 
> invulnerable system.
> 
> Cheers
> Wincent
> 

	Well do you want a system that works or one that is slightly
	more vulnerable to a accidental exhaustion of rule slots.  If
	they are exhausted you need a bigger table to start with.

	Note. If they are going to DoS you there is no way any
	particular timeout will prevent that.  Also this has to
	originate from inside as you should have anti-spoofing
	rule before the keep-state rule.

	Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@isc.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message