Date: Thu, 20 Mar 2003 18:52:32 +0200 From: Giorgos Keramidas <keramida@freebsd.org> To: Drew Tomlinson <drew@mykitchentable.net> Cc: freebsd-questions@freebsd.org Subject: Re: IPFW - "keep-state/check-state" And "setup/established" Confusion Message-ID: <20030320165232.GB6347@gothmog.gr> In-Reply-To: <00d401c2ee6e$0abf07e0$6e2a6ba5@tagalong> References: <00d401c2ee6e$0abf07e0$6e2a6ba5@tagalong>
next in thread | previous in thread | raw e-mail | index | archive | help
--pf9I7BMVVzbSWLtt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On 2003-03-19 15:19, Drew Tomlinson <drew@mykitchentable.net> wrote: > I'm using ipfw2 to setup a firewall on 4.8-RC for my home network. > I used the rule set at > > http://www.bsdtoday.com/2000/December/rc.firewall.current > > as an example but am confused regarding the differences between > setting rules using "setup/established" and "keep-state / > check-state". I've read the ipfw man page and understand that > "setup/established" matches syn/ack bits in a packet where > "keep-state/check-state" actually creates a dynamic rule. > But not being real knowledgeable about how IP packets are > constructed, I'm not sure what this means in the real world. It means that `established' uses a very simple test of packet contents to find out if this packet belongs to an existing connection. This simple test is "good enough" for some packets, but will match packets that are not part of a real, existing connection too. > If I understand it correctly, the example at BSDToday basically uses > "setup/established" to allow traffic in for services that I allow. > So in my case I would use it for FTP, SMTP, SSH, and HTTP. Then the > rule set uses "keep-state/check-state" for connections originating > from my internal network to the outside world. But why should I not > use "keep-state/check-state" for everything by adding my check-state > rule near the top and then adding the following rule for incoming > services: > > ipfw add allow ip from any to $inwr 21,22,25,80 keep-state As a matter of fact, you should. The 'established' keyword is not as nice as a real, stateful firewall (which {keep,check}-state gives you). > I've actually done this and it is working but I'd like to know if > this is a good or bad idea and why. In a reply to a private message, a few weeks ago, I tried to explain the different to someone. Here's the message, without any names. I hope this helps a bit :-) From: Giorgos Keramidas <keramida@freebsd.org> Date: Wed, 26 Feb 2003 03:51:08 +0200 On 2003-02-25 17:15, you wrote: >On Wed, 26 Feb 2003 02:36:18 Giorgos Keramidas wrote: >>On 2003-02-25 16:29, you wrote: >>> On Wed, 26 Feb 2003 02:25:12 Giorgos Keramidas wrote: >>> > >>> >The changes from your own set of rules are summarized below: [...] >>> >>> Indeed! I do have the variables listed defined, and have natd >>> configured and working. Thank you very much--not only did you >>> answer my question, but gave me a better understanding of ipfw! >> >>I did? Oh, cool :))) > > Just wondering, do I not need the 'established' rule to let existing > connections persist? The ipfw manpage contains this description of the 'established' keyword, which means a lot to someone who knows how TCP handles connections and what the bits RST and ACK are used for. established Matches TCP packets that have the RST or ACK bits set. This is, alas, a very cryptic and strange thing for someone who doesn't know the internals of the TCP protocol. Which is something that I wouldn't expect the casual reader of the manpage to know. The detailed explanation of how this keyword matches packets is very large for me to include in a single email reply, and I won't even attempt to do something like this. For the moment, let's say that 'established' is a very simplistic way of filtering packets that are part of an existing connection. The keep-state and check-state combination that I used instead of your initial established ruleset works a lot better and has a quite better chance of blocking packets that are not part of a "real" TCP connection. Bearing this in mind, you might find it easier to accept the keep-state/check-state pair as a safer way of filtering. The keep-state keyword creates a dynamic rule for ever successful connection that matches, and check-state runs through the list of dynamic rules looking for matches before passing a packet. It's safer to use because the dynamic rules are created by keep-state to match the existing connections and then deleted after the connection dies; instead of allowing through any packet that is "possibly part of an existing connection because it includes one of ACK or RST flags or both". When you use the 'established' keyword, your firewall is open to attacks by ingenious hackers who know the way TCP works and create their own 'custom' packets, including RST or ACK flags, in the hope that their packet will pass through improperly configured firewalls (such as those who depend on 'established' for their blocking rules). Once a packet has been allowed through by an 'stablished' rule it will probably have a chance to reach the internal network, going out through a different interface, and let the attacker establish a limited but nevertheless important "channel of information retrieval" for your internal network. Now, after all this, you might be wondering "if 'established' is so unsafe in comparison to keep-state why is it still supportd by ipfw?" The real answer to this is "because Luigi, the author of ipfw, chose to keep backwards compatibility with rulesets that use 'established' instead of removing it long ago and causing many administrators around the world to curse, when they discovered that their firewall rulesets broke when they upgraded from one version of FreeBSD 4.X to a newer version in the 4.X branch of development." I think I will ask Luigi to remove 'established' in FreeBSD 5.X. If he doesn't like the idea, I will probably sit down and write a big, fat warning in the manpage that suggests avoiding 'established' and going for a pair of 'keep-state/check-state' rules instead. I hope I didn't confuse the heck out of you, - Giorgos --pf9I7BMVVzbSWLtt Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+efHQ1g+UGjGGA7YRAsAAAJ4oSdb3g1RWSyQ3Al4xOMdtNxQ3MACfaj6x MYx5RbP/6D36TeRoyhiqImE= =6sR3 -----END PGP SIGNATURE----- --pf9I7BMVVzbSWLtt-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030320165232.GB6347>