From owner-freebsd-security  Mon Apr  3 19: 1: 7 2000
Delivered-To: freebsd-security@freebsd.org
Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11])
	by hub.freebsd.org (Postfix) with ESMTP id B76CD37B74A
	for <freebsd-security@FreeBSD.ORG>; Mon,  3 Apr 2000 19:00:47 -0700 (PDT)
	(envelope-from avalon@cairo.anu.edu.au)
Received: (from avalon@localhost)
	by cairo.anu.edu.au (8.9.3/8.9.3) id MAA24050;
	Tue, 4 Apr 2000 12:01:21 +1000 (EST)
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <200004040201.MAA24050@cairo.anu.edu.au>
Subject: Re: ipfw dynamic rules & tcp rst
In-Reply-To: <4.3.1.2.20000403104253.00af9380@163.188.48.51> from Keith Ray at "Apr 3, 0 11:03:48 am"
To: rayk@sugar-land.spc.slb.com (Keith Ray)
Date: Tue, 4 Apr 2000 12:01:20 +1000 (EST)
Cc: freebsd-security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL39 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In some mail from Keith Ray, sie said:
> I have been using the new dynamic ipfw rules in 4.0.  I wanted to make the 
> firewall react as though it didn't exist by returning TCP RSTs instead of 
> just dropping the connection.  However, the following rules do not work:
> 
> 00400 check-state
> 00500 reset tcp from any to {myip} established
> 00600 reset tcp from {myip} to any established
> 00700 allow tcp from any to {myip} 22 keep-state setup
> 00800 reset tcp from any to {myip} setup
> 65535 deny ip from any to any
> 
> When a connection comes in for a non-allowed port, rule 800 rejects the 
> connection.  However, rule 600 prevents the TCP RST from being sent and the 
> connection is dropped.  The following rules work however:
> 
> 00300 allow tcp from {myip} to any
> 00400 check-state
> 00500 reset tcp from any to {myip} established
> 00600 allow tcp from any to {myip} 22 keep-state setup
> 00700 reset tcp from any to {myip} setup
> 65535 deny ip from any to any
> 
> This time the connection is rejected and rule 300 allows the RST to be 
> sent.  Is there a better way of accomplishing this?

Yeah, use IP Filter.

Darren


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message