From owner-freebsd-questions Thu Jun 7 16:34:11 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.the-i-pa.com (mail.the-i-pa.com [151.201.71.132]) by hub.freebsd.org (Postfix) with SMTP id F0AAE37B403 for ; Thu, 7 Jun 2001 16:34:08 -0700 (PDT) (envelope-from wmoran@iowna.com) Received: (qmail 9154 invoked from network); 7 Jun 2001 23:42:33 -0000 Received: from unknown (HELO iowna.com) (151.201.71.193) by mail.the-i-pa.com with SMTP; 7 Jun 2001 23:42:33 -0000 Message-ID: <3B200EEF.86F950D1@iowna.com> Date: Thu, 07 Jun 2001 19:31:59 -0400 From: Bill Moran X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: patl@Phoenix.Volant.ORG Cc: Josh Thomas , freebsd-questions@freebsd.org Subject: Re: IPFW rules and outward connections References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG patl@Phoenix.Volant.ORG wrote: > > Will allow the IP listed to initiate a ssh connection to anyone or > > receive a ssh connection from anyone, while the second rule ensures that > > the connection can continue to communicate and the final rule blocks > > anything that doesn't fit into the first category. > > tcp communications must establish themselves, therefore anything that is > > not specifically allowed to "setup" will never get to the "established" > > state. (it's probably best, for speed, to always put the "established" > > rule near the beginning of your ruleset) > > But some l33t h4x0r can craft bogus packets which -claim- to be part > of a non-existant established connection. ph33r m3!!! :p ... silly h4x0r5p33k. I'm curious, then. Do you feel that dynamic rules are more secure then? So far it appears the ipfw rulesets I've put together have scared off anyone with malicious intent, as I've not yet had a break-in. But that doesn't mean my boxes are 100%. Really, just about any ruleset can be breached by someone with enough time/knowledge. Do you know of any way that a forged established-connection packet can do anything more than DoS? There are other defenses to be taken against DoS, such as rate limiting, etc. Don't mean to take this off-topic (am I?) but I'm alway on the lookout to see what more I can learn about security. -Bill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message