Date: Wed, 14 Feb 2001 14:00:23 -0700 (MST) From: Nate Williams <nate@yogotech.com> To: Stefan <roijers@iae.nl> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Abnormal behaviour of "established" rule with ipfw? Message-ID: <14986.61927.680205.227406@nomad.yogotech.com> In-Reply-To: <4.1.20010214211242.0094ac90@pop.iae.nl> References: <4.1.20010214211242.0094ac90@pop.iae.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
> Theoretically, I think, the following firewall rules for ipfw would never > allow any > tcp connection simply because a connection can not be setup: > > ipfw list: > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 30000 allow tcp from any to any established > 65535 deny ip from any to any > > However, the opposite appears to be true: > ipfw show: > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 30000 212 15669 allow tcp from any to any established > 65535 0 0 deny ip from any to any > > Connections can be setup without a problem! > I'm using FreeBSD 4.1 Release with the security patches of January applied. > Verified this on my workstation (above example) after observing incoming > connections on my firewallbox (same version and patches). > > As a workaround I moved a deny incoming rule before the allow established rule > but according the examples in the tutorial and handbook this should not be > necessary. > > Is this a security vulnerability or do I understand things wrong? Were these packets from connections setup before the firewall rule was in place? If so, they are already established. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14986.61927.680205.227406>