Date: Wed, 24 Jan 2001 09:23:06 +1000 From: Phil Homewood <pdh@bit.net.au> To: freebsd-ipfw@freebsd.org Subject: [security-advisories@FreeBSD.ORG: FreeBSD Security Advisory: FreeBSD-SA-01:08.ipfw] Message-ID: <20010124092306.A5425@atlas.bit.net.au>
next in thread | raw e-mail | index | archive | help
> FreeBSD-SA-01:08 Security Advisory > Topic: ipfw/ip6fw allows bypassing of 'established' keyword > IV. Workaround > > Because the vulnerability only affects 'established' rules and ECE- > flagged TCP packets, this vulnerability can be removed by adjusting > the system's rulesets. In general, it is possible to express most > 'established' rules in terms of a general TCP rule (with no TCP flag > qualifications) and a 'setup' rule, but may require some restructuring > and renumbering of the ruleset. If my understanding of this is correct, I gather that the following (fictional) ruleset: 00110 allow ip from any to any established 00120 allow ip from any to any frag 00130 allow tcp from 192.168.2.0/24 to 192.168.2.1 22 setup 00140 deny tcp from any to any could be safely replaced by the following: 00110 allow ip from any to any frag 00120 allow tcp from 192.168.2.0/24 to 192.168.2.1 22 setup 00130 deny tcp from any to any setup 00140 allow tcp from any to any established with or without the "established" in rule 1300, yes? I'm assuming here that "setup" actually means more than "not established". -- Phil Homewood pdh@asiaonline.net Senior Technician +61 7 3620 1930 Asia Online http://www.asiaonline.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010124092306.A5425>