From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 1 17:18:42 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC64D16A4CE for ; Mon, 1 Mar 2004 17:18:42 -0800 (PST) Received: from ns1.itga.com.au (ns1.itga.com.au [202.53.40.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54F1543D1D for ; Mon, 1 Mar 2004 17:18:41 -0800 (PST) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20]) by ns1.itga.com.au (8.12.9/8.12.9) with ESMTP id i221IdR5097078; Tue, 2 Mar 2004 12:18:39 +1100 (EST) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (localhost [127.0.0.1]) by lightning.itga.com.au (8.9.3/8.9.3) with ESMTP id MAA18408; Tue, 2 Mar 2004 12:18:38 +1100 (EST) Message-Id: <200403020118.MAA18408@lightning.itga.com.au> X-Mailer: exmh version 2.4 05/15/2001 with nmh-1.0.4 From: Gregory Bond To: "J.T. Davies" In-reply-to: Your message of Sun, 29 Feb 2004 15:29:44 -0800. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 02 Mar 2004 12:18:38 +1100 Sender: gnb@itga.com.au cc: freebsd-ipfw@freebsd.org Subject: Re: TCP established flag & ipfw rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Mar 2004 01:18:42 -0000 jtd@hostthecoast.org said: > To clarify, instead of "EST" in my original post, replace with "ACK". > Could some unscrupulous person add the "ACK" flag to the TCP packets > and be accepted by this rule (even though they may not technically be > "ACK")? They could. But this is not as damaging as you think, because once the malicious packet is passed by ipfw and gets to the destination machine, the dest machine will try and look up the internal state (i.e. seq numbers, window sizes, RTT estimates etc) for this supposed TCP connection. It will presumably not have a TCP connection with the matching ip address/portnumbers, so all this will do is cause the "attacked" machine to send an RST and discard the malicious packet. It won't magically make a connection appear in the target machine. The only way to initiate a TCP connection is with a SYN packet, and they don't get passed by the "established" rule. So this is a possible denial-of-service (forcing the internal machine to consider and RST random attacking packets), but not a security failure as such.