From owner-freebsd-security Wed Feb 14 12:17:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from amsmta01-svc.chello.nl (mail-out.chello.nl [213.46.240.7]) by hub.freebsd.org (Postfix) with ESMTP id 2328437B401 for ; Wed, 14 Feb 2001 12:17:09 -0800 (PST) Received: from devon ([212.83.73.144]) by amsmta01-svc.chello.nl (InterMail vK.4.02.00.10 201-232-116-110 license a3a2682fa4a9abbd0742aa9624d87426) with SMTP id <20010214201132.QYXO17380.amsmta01-svc@devon> for ; Wed, 14 Feb 2001 21:11:32 +0100 Message-Id: <4.1.20010214211242.0094ac90@pop.iae.nl> X-Sender: roijers@pop.iae.nl X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 14 Feb 2001 21:17:18 +0100 To: freebsd-security@freebsd.org From: Stefan Subject: Abnormal behaviour of "established" rule with ipfw? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Abnormal behaviour of "established" rule with ipfw? Theoretically, I think, the following firewall rules for ipfw would never allow any tcp connection simply because a connection can not be setup: ipfw list: 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 30000 allow tcp from any to any established 65535 deny ip from any to any However, the opposite appears to be true: ipfw show: 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 30000 212 15669 allow tcp from any to any established 65535 0 0 deny ip from any to any Connections can be setup without a problem! I'm using FreeBSD 4.1 Release with the security patches of January applied. Verified this on my workstation (above example) after observing incoming connections on my firewallbox (same version and patches). As a workaround I moved a deny incoming rule before the allow established rule but according the examples in the tutorial and handbook this should not be necessary. Is this a security vulnerability or do I understand things wrong? Greets, Stefan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message