From owner-freebsd-security Mon Apr 3 9: 9: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from spcem01sgl.sugar-land.omnes.net (spcem01sgl.sugar-land.omnes.net [163.188.48.51]) by hub.freebsd.org (Postfix) with ESMTP id E774D37BA4E for ; Mon, 3 Apr 2000 09:08:58 -0700 (PDT) (envelope-from rayk@sugar-land.spc.slb.com) Received: from rayk-sgl.sugar-land.spc.slb.com ([163.188.49.242]) by spcem01sgl.sugar-land.omnes.net (Post.Office MTA v3.5.3 release 223 ID# 0-58147U25000L25000S0V35) with ESMTP id net for ; Mon, 3 Apr 2000 11:02:16 -0500 Message-Id: <4.3.1.2.20000403104253.00af9380@163.188.48.51> X-Sender: rayk@163.188.48.51 X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Mon, 03 Apr 2000 11:03:48 -0500 To: freebsd-security@FreeBSD.ORG From: Keith Ray Subject: ipfw dynamic rules & tcp rst Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have been using the new dynamic ipfw rules in 4.0. I wanted to make the firewall react as though it didn't exist by returning TCP RSTs instead of just dropping the connection. However, the following rules do not work: 00400 check-state 00500 reset tcp from any to {myip} established 00600 reset tcp from {myip} to any established 00700 allow tcp from any to {myip} 22 keep-state setup 00800 reset tcp from any to {myip} setup 65535 deny ip from any to any When a connection comes in for a non-allowed port, rule 800 rejects the connection. However, rule 600 prevents the TCP RST from being sent and the connection is dropped. The following rules work however: 00300 allow tcp from {myip} to any 00400 check-state 00500 reset tcp from any to {myip} established 00600 allow tcp from any to {myip} 22 keep-state setup 00700 reset tcp from any to {myip} setup 65535 deny ip from any to any This time the connection is rejected and rule 300 allows the RST to be sent. Is there a better way of accomplishing this? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message