Date: Sun, 29 Feb 2004 14:44:10 -0800 From: Justin Walker <justin@mac.com> To: freebsd-ipfw@freebsd.org Subject: Re: TCP established flag & ipfw rule Message-ID: <CA1B3FE4-6B08-11D8-BD24-00306544D642@mac.com> In-Reply-To: <001101c3fe5e$1ae25f90$3301020a@hostthecaost.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Saturday, February 28, 2004, at 04:51 PM, J.T. Davies wrote: > Hello everyone, > > I'm on the road to setting up a (hopefully) secure firewall to keep > the bad > people out. > > I got to thinking -- I see (semi-frequently) in docs a rule at the top > of > the list much like: > > ipfw add 100 allow ip from any to any established > > ...and here's where the thinking part comes in... > > Is it possible to (spoof isn't the correct verbage) override the TCP > flags > on packets, thereby defeating the intent of the aforementioned rule? I > mean, if I had the knowledge (and the evil intent to do so) to create a > program that added the EST flag onto the TCP packets...rule 100 would > accept > the packet, thereby allowing access to anything behind the > firewall...no? > > Thoughts? Or is this a non-issue due to the stringent authoring of the > TCP/IP protocol? I'm not sure I follow your ideas. There is no 'EST' flag in a TCP packet. The "ESTABLISHED" state is kept at either end of the connection, not in the packets themselves. In addition, the two ends may not have the same state. Regards, Justin -- /~\ The ASCII Justin C. Walker, Curmudgeon-at-Large \ / Ribbon Campaign X Help cure HTML Email / \
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA1B3FE4-6B08-11D8-BD24-00306544D642>