From owner-freebsd-security  Thu Jun 20 16:11:23 2002
Delivered-To: freebsd-security@freebsd.org
Received: from nexusxi.com (balistraria.nexusxi.com [216.123.202.196])
	by hub.freebsd.org (Postfix) with SMTP id 26C6637B409
	for <freebsd-security@freebsd.org>; Thu, 20 Jun 2002 16:11:17 -0700 (PDT)
Received: (qmail 24813 invoked by uid 1000); 20 Jun 2002 23:11:11 -0000
Date: Thu, 20 Jun 2002 17:11:11 -0600
From: "Dalin S. Owen" <dowen@nexusxi.com>
To: freebsd-security@freebsd.org
Subject: IPFW/IPF Setup/Established
Message-ID: <20020620171111.A24480@nexusxi.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA"
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


--W/nzBZO5zC0uMSeA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable


First an example: :)

ipfw add 9 allow tcp from any to any established
ipfw add 10 allow tcp from any to 10.0.0.2 80 setup
(DEFAULT DENY RULE)

vs.

block in all
block out all
pass in quick on fxp0 proto tcp from any to 10.0.0.2 port =3D 80 flags S ke=
ep state

These two rule snippets do essentialy the same thing, I know one of them is=
 stateful, and the other is not. =20
It is kind of like comparing apples to oranges... but they behave the same =
in the end.  They both check for a=20
SYN, and keep a (virtual) state.

I have heard from the IPF community that a "allow tcp from any to any estab=
lished" can be spoofed.  Don't=20
they need the right sequence number to do that?  I mean, to send packets to=
 my machine "claiming" to already=20
be established to a private port?  If so, then why is the /etc/rc.firewall =
script written this way?  There=20
must be a reason.  Also, Which one is faster at matching packets on average?

Help me end the ipfw + ipf madness!!?!? :)

Insanely yours,
Dalin S. Owen

--W/nzBZO5zC0uMSeA
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj0SYQ4ACgkQKZhyFXMVXuIkCQCfRKIEXBEGFZucalbIyuCguDrG
lPQAoLlyUFOXFYUEHFh7rOg3Zg8/8rr0
=h7D9
-----END PGP SIGNATURE-----

--W/nzBZO5zC0uMSeA--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message