From owner-freebsd-security  Mon Jul 15  8:49:46 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3FC7737B400
	for <security@FreeBSD.ORG>; Mon, 15 Jul 2002 08:49:43 -0700 (PDT)
Received: from balrog.rt.ru (balrog.rt.ru [217.107.221.3])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B04FB43E58
	for <security@FreeBSD.ORG>; Mon, 15 Jul 2002 08:49:41 -0700 (PDT)
	(envelope-from dima@rt.ru)
Received: from rt.ru (localhost [127.0.0.1])
	by balrog.rt.ru (8.9.3/8.9.3) with ESMTP id TAA14525
	for <security@FreeBSD.ORG>; Mon, 15 Jul 2002 19:48:13 +0400 (MSD)
	(envelope-from dima@rt.ru)
Message-ID: <3D32EEBD.E66100A1@rt.ru>
Date: Mon, 15 Jul 2002 19:48:13 +0400
From: "Dmitry S. Rzhavin" <dima@rt.ru>
Organization: Rostelecom
X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 4.0-20000103-CURRENT i386)
X-Accept-Language: ru, en
MIME-Version: 1.0
To: security@FreeBSD.ORG
Subject: Re: ipfw and keep-state
References: <3D32D849.E3D8F2BE@rt.ru> <xzp1ya583vj.fsf@flood.ping.uio.no>
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Dag-Erling Smorgrav wrote:
> 
> "Dmitry S. Rzhavin" <dima@rt.ru> writes:
> > 10 pass tcp from any to ip2 in keep-state setup
> > ... nothing interesting here
> > 20 deny tcp from any to ip2
> >
> >
> > Or, in other words, I want to pre-auth some packet with rile 10 to
> > check it later. Then, I decide to drop it.
> > But ipfw creates dynamic rule "inet <-> ip1" and passes this
> > session. I think this is not good. Why does ipfw works this way?
> 
> That's what you asked it to do.  Rule 10 basically says "if the packet
> is a tcp SYN packet destined for ip2, stop examining it, let it
> through

nonono! Rule 10 says "let it _in_", not out! Or:

                       --------------
--------               |IPFW is here|         
|packet|==[flows in]=>in_if----    out_if
--------               |packet|==>X |
                       --------------
     fly in is allowed ^^^       ^^^ packet dies here

So, I expect (at least) dynamic rule to be "pass ip from inet to ip1 _in_".
Or, as the best solution, rule "in" creates dynamic candidate, and stateful
dynamic rule is created only if packet is allowed to go out. If packet dies
inside ipfw, rule dies too.
So, the question is: why this is bad? Why FreeBSD Team choosed to create
dynamic rule "in/out" for "in" static rule? Is it a bug, or a feature?


>, and remember to let all similar packets through in the
> future"
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message