From owner-freebsd-ipfw  Tue Jan 23 15:23:27 2001
Delivered-To: freebsd-ipfw@freebsd.org
Received: from atlas.bit.net.au (atlas.bit.net.au [203.18.94.3])
	by hub.freebsd.org (Postfix) with ESMTP id 5ACBB37B404
	for <freebsd-ipfw@freebsd.org>; Tue, 23 Jan 2001 15:23:09 -0800 (PST)
Received: (from pdh@localhost)
	by atlas.bit.net.au (8.11.0/8.11.0) id f0NNN6r17202
	for freebsd-ipfw@freebsd.org; Wed, 24 Jan 2001 09:23:06 +1000
Date: Wed, 24 Jan 2001 09:23:06 +1000
From: Phil Homewood <pdh@bit.net.au>
To: freebsd-ipfw@freebsd.org
Subject: [security-advisories@FreeBSD.ORG: FreeBSD Security Advisory: FreeBSD-SA-01:08.ipfw]
Message-ID: <20010124092306.A5425@atlas.bit.net.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> FreeBSD-SA-01:08                                           Security Advisory
> Topic:		ipfw/ip6fw allows bypassing of 'established' keyword

> IV.  Workaround
> 
> Because the vulnerability only affects 'established' rules and ECE-
> flagged TCP packets, this vulnerability can be removed by adjusting
> the system's rulesets.  In general, it is possible to express most
> 'established' rules in terms of a general TCP rule (with no TCP flag
> qualifications) and a 'setup' rule, but may require some restructuring
> and renumbering of the ruleset.

If my understanding of this is correct, I gather that the following
(fictional) ruleset:

00110 allow ip from any to any established
00120 allow ip from any to any frag
00130 allow tcp from 192.168.2.0/24 to 192.168.2.1 22 setup
00140 deny tcp from any to any

could be safely replaced by the following:

00110 allow ip from any to any frag
00120 allow tcp from 192.168.2.0/24 to 192.168.2.1 22 setup
00130 deny tcp from any to any setup
00140 allow tcp from any to any established

with or without the "established" in rule 1300, yes? I'm assuming
here that "setup" actually means more than "not established".
-- 
Phil Homewood                 pdh@asiaonline.net
Senior Technician             +61 7 3620 1930
Asia Online                   http://www.asiaonline.net/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message