From owner-freebsd-ipfw@FreeBSD.ORG Sun Feb 29 15:27:09 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16D6D16A4CE for ; Sun, 29 Feb 2004 15:27:09 -0800 (PST) Received: from bsd1.hostthecoast.org (dsl-230-142.ipns.com [209.210.230.142]) by mx1.FreeBSD.org (Postfix) with SMTP id 6B4CC43D1F for ; Sun, 29 Feb 2004 15:27:08 -0800 (PST) (envelope-from jtd@hostthecoast.org) Received: (qmail 13097 invoked from network); 29 Feb 2004 23:27:56 -0000 Received: from unknown (HELO host1) (10.2.1.51) by bsd1.hostthecoast.org with SMTP; 29 Feb 2004 23:27:56 -0000 Message-ID: <001c01c3ff1b$ea0d83e0$3301020a@hostthecaost.org> From: "J.T. Davies" To: References: Date: Sun, 29 Feb 2004 15:29:44 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Re: TCP established flag & ipfw rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Feb 2004 23:27:09 -0000 > > I got to thinking -- I see (semi-frequently) in docs a rule at the top > > of > > the list much like: > > > > ipfw add 100 allow ip from any to any established > > > > ...and here's where the thinking part comes in... > > > > Is it possible to (spoof isn't the correct verbage) override the TCP > > flags > > on packets, thereby defeating the intent of the aforementioned rule? I > > mean, if I had the knowledge (and the evil intent to do so) to create a > > program that added the EST flag onto the TCP packets...rule 100 would > > accept > > the packet, thereby allowing access to anything behind the > > firewall...no? > > > > Thoughts? Or is this a non-issue due to the stringent authoring of the > > TCP/IP protocol? > > I'm not sure I follow your ideas. There is no 'EST' flag in a TCP > packet. The "ESTABLISHED" state is kept at either end of the > connection, not in the packets themselves. In addition, the two ends > may not have the same state. > > Regards, > > Justin Ok, the Cliff Notes on TCP failed me...guess I gotta take TCP101 class again. I re-read the man page for IPFW (and didn't blink this time). The "established" rule matches on RST or ACK. To clarify, instead of "EST" in my original post, replace with "ACK". Could some unscrupulous person add the "ACK" flag to the TCP packets and be accepted by this rule (even though they may not technically be "ACK")? [Or am I just talking out my butt here] Or, to put the question more generally...could a "hacker" change the flags/bits of the TCP packet at their whim? Thanks! J.T.