Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 14 Jan 2002 22:16:58 -0700
From:      Nate Williams <nate@yogotech.com>
To:        Matthew Whelan <muttley@gotadsl.co.uk>
Cc:        Richard Nyberg <rnyberg@it.su.se>, nate@yogotech.com (Nate Williams), Ian <freebsd@damnhippie.dyndns.org>, Rolandas Naujikas <rolnauj@delfi.lt>, stable@FreeBSD.ORG
Subject:   Re: tcp keepalive and dynamic ipfw rules
Message-ID:  <15427.47946.824547.114063@caddis.yogotech.com>
In-Reply-To: <GCA67273WQ2HBXUKHUOB6JNLOFDKF.3c439ad3@VicNBob>
References:  <15427.13548.266651.846138@caddis.yogotech.com> <GCA67273WQ2HBXUKHUOB6JNLOFDKF.3c439ad3@VicNBob>

next in thread | previous in thread | raw e-mail | index | archive | help
> >> My solution to keep my ssh sessions from hanging because I made a cup
> >> of coffe was to up the syctl MIB 'net.inet.ip.fw.dyn_ack_lifetime' to
> >> a more reasonable value.
> >
> >So, non-active TCP sessions can now get packets through since the
> >lifetime of the rules now exceed the lifetime of many of your TCP
> >sessions, so I can now watch your firewall and punch packets through it
> >by analyzing the data.
> >
> >(In short, anyone good enough to punch through packets using the other
> >firewall setup is also capable of punching through packets with extended
> >lifetime TCP dynamic rules.)
> 
> Is ipfw really that dumb? I admit I've never really fiddled with it as, 
> being a gamer, I wanted NAT not to have to do the kernel->userland->kernel 
> transitions so chose ipf/ipnat... I'm pretty sure from watching the ipfstat 
> output that ipf is picking up the FINs and dropping the TTL on dynamic rules 
> when TCP sockets are properly closed (admittedly UDP still presents the 
> possibility of problems but the default timeout there is rather
> shorter).

As I understand, IPF's dynamic rules are *much* better than IPFW's, yes.

> I 
> haven't seen any ipfw vs ipf comparisons mention this; if ipfw genuinely is 
> incapable of spotting the end of a TCP connection (assuming the FINs are 
> seen both ways), personally I'd think that a strong reason to advocate ipf 
> as being preferable to ipfw where dynamic rules are needed

It is, but the use of dynamic rules doesn't necessarily buy you *that*
much security.

> Besides, it seems to me that given the sort of hacker/script capable of 
> exploiting such a weakness, 5 minutes' vulnerability is pretty much as bad 
> as 10 days'... after all, they must be recording the traffic as it happens 
> to know which port to attack.

The vulnerability of being able to push through hacked packets isn't as
bad as it might sound, since you'd have to have something listening on
the other end that blew up with said packets.  Getting packets out is a
harder problem. :)

It's much easier to cause a virus on the remote end which initiates the
connection, and no simple packet filtering firewall is going to stop
those kinds of attacks.


Nate

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15427.47946.824547.114063>