From owner-freebsd-security Wed Feb 14 13: 0:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id B68E737B4EC for ; Wed, 14 Feb 2001 13:00:27 -0800 (PST) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id OAA04001; Wed, 14 Feb 2001 14:00:25 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id OAA26029; Wed, 14 Feb 2001 14:00:23 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14986.61927.680205.227406@nomad.yogotech.com> Date: Wed, 14 Feb 2001 14:00:23 -0700 (MST) To: Stefan Cc: freebsd-security@FreeBSD.ORG Subject: Re: Abnormal behaviour of "established" rule with ipfw? In-Reply-To: <4.1.20010214211242.0094ac90@pop.iae.nl> References: <4.1.20010214211242.0094ac90@pop.iae.nl> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Theoretically, I think, the following firewall rules for ipfw would never > allow any > tcp connection simply because a connection can not be setup: > > ipfw list: > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 30000 allow tcp from any to any established > 65535 deny ip from any to any > > However, the opposite appears to be true: > ipfw show: > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 30000 212 15669 allow tcp from any to any established > 65535 0 0 deny ip from any to any > > Connections can be setup without a problem! > I'm using FreeBSD 4.1 Release with the security patches of January applied. > Verified this on my workstation (above example) after observing incoming > connections on my firewallbox (same version and patches). > > As a workaround I moved a deny incoming rule before the allow established rule > but according the examples in the tutorial and handbook this should not be > necessary. > > Is this a security vulnerability or do I understand things wrong? Were these packets from connections setup before the firewall rule was in place? If so, they are already established. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message