From owner-freebsd-security  Mon Jul 15 12: 4:23 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CAB4137B400
	for <security@FreeBSD.ORG>; Mon, 15 Jul 2002 12:04:19 -0700 (PDT)
Received: from skynet.stack.nl (insgate.stack.nl [131.155.140.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3F22F43E67
	for <security@FreeBSD.ORG>; Mon, 15 Jul 2002 12:04:19 -0700 (PDT)
	(envelope-from marcolz@stack.nl)
Received: from toad.stack.nl (toad.stack.nl [2001:610:1108:5010:202:b3ff:fe17:9e1a])
	by skynet.stack.nl (Postfix) with ESMTP
	id 2C1AA3FF3; Mon, 15 Jul 2002 21:04:27 +0200 (CEST)
Received: by toad.stack.nl (Postfix, from userid 333)
	id B706798D1; Mon, 15 Jul 2002 21:04:17 +0200 (CEST)
Date: Mon, 15 Jul 2002 21:04:17 +0200
From: Marc Olzheim <marcolz@stack.nl>
To: "Dmitry S. Rzhavin" <dima@rt.ru>
Cc: security@FreeBSD.ORG
Subject: Re: ipfw and keep-state
Message-ID: <20020715190417.GA72114@stack.nl>
References: <3D32D849.E3D8F2BE@rt.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3D32D849.E3D8F2BE@rt.ru>
User-Agent: Mutt/1.4i
X-Operating-System: FreeBSD toad.stack.nl 4.6-STABLE FreeBSD 4.6-STABLE
X-URL: http://www.stack.nl/~marcolz/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> 10 pass tcp from any to ip2 in keep-state setup
> ... nothing interesting here
> 20 deny tcp from any to ip2
> 
> 
> Or, in other words, I want to pre-auth some packet with rile 10 to
> check it later. Then, I decide to drop it. 
> But ipfw creates dynamic rule "inet <-> ip1" and passes this
> session. I think this is not good. Why does ipfw works this way?

"in" is just used to match packets not originating from, or, routed by
your machine. The action "pass" is what happens if the rule matches. The
actions are not split into "in", "bridge" and "out"... It's just
"accept", "deny" or "skipto". (and count, fwd, reset, divert, etc. but:)

The first three are enought to handle this:

10 skipto 20 tcp from any to ip2 in setup
...
20 deny tcp from any to ip2

Zlo

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message