From owner-freebsd-ipfw@FreeBSD.ORG Sun Feb 29 14:44:15 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D7F8316A4CE for ; Sun, 29 Feb 2004 14:44:15 -0800 (PST) Received: from smtpout.mac.com (A17-250-248-88.apple.com [17.250.248.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA8BB43D1D for ; Sun, 29 Feb 2004 14:44:15 -0800 (PST) (envelope-from justin@mac.com) Received: from mac.com (smtpin07-en2 [10.13.10.152]) by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id i1TMiFJA019899 for ; Sun, 29 Feb 2004 14:44:15 -0800 (PST) Received: from mac.com (c-24-6-87-110.client.comcast.net [24.6.87.110]) (authenticated bits=0) by mac.com (Xserve/smtpin07/MantshX 3.0) with ESMTP id i1TMiBFD019999 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NO) for ; Sun, 29 Feb 2004 14:44:14 -0800 (PST) Date: Sun, 29 Feb 2004 14:44:10 -0800 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v553) From: Justin Walker To: freebsd-ipfw@freebsd.org Content-Transfer-Encoding: 7bit In-Reply-To: <001101c3fe5e$1ae25f90$3301020a@hostthecaost.org> Message-Id: X-Mailer: Apple Mail (2.553) Subject: Re: TCP established flag & ipfw rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Feb 2004 22:44:16 -0000 On Saturday, February 28, 2004, at 04:51 PM, J.T. Davies wrote: > Hello everyone, > > I'm on the road to setting up a (hopefully) secure firewall to keep > the bad > people out. > > I got to thinking -- I see (semi-frequently) in docs a rule at the top > of > the list much like: > > ipfw add 100 allow ip from any to any established > > ...and here's where the thinking part comes in... > > Is it possible to (spoof isn't the correct verbage) override the TCP > flags > on packets, thereby defeating the intent of the aforementioned rule? I > mean, if I had the knowledge (and the evil intent to do so) to create a > program that added the EST flag onto the TCP packets...rule 100 would > accept > the packet, thereby allowing access to anything behind the > firewall...no? > > Thoughts? Or is this a non-issue due to the stringent authoring of the > TCP/IP protocol? I'm not sure I follow your ideas. There is no 'EST' flag in a TCP packet. The "ESTABLISHED" state is kept at either end of the connection, not in the packets themselves. In addition, the two ends may not have the same state. Regards, Justin -- /~\ The ASCII Justin C. Walker, Curmudgeon-at-Large \ / Ribbon Campaign X Help cure HTML Email / \