Date: Thu, 20 Jun 2002 16:46:56 -0700 From: William Carrel <william.carrel@infospace.com> To: "Dalin S. Owen" <dowen@nexusxi.com>, <freebsd-security@freebsd.org> Subject: Re: IPFW/IPF Setup/Established Message-ID: <B937B780.11219%william.carrel@infospace.com> In-Reply-To: <20020620171111.A24480@nexusxi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/20/02 4:11 PM, "Dalin S. Owen" <dowen@nexusxi.com> wrote: > ipfw add 9 allow tcp from any to any established > ipfw add 10 allow tcp from any to 10.0.0.2 80 setup > (DEFAULT DENY RULE) > > vs. > > block in all > block out all > pass in quick on fxp0 proto tcp from any to 10.0.0.2 port = 80 flags S keep > state > > These two rule snippets do essentialy the same thing, I know one of them is > stateful, and the other is not. > It is kind of like comparing apples to oranges... but they behave the same in > the end. They both check for a > SYN, and keep a (virtual) state. Not quite. A more interesting example above would be if the ipf snippet did "block return-rst in proto tcp all". Then you would see a big difference in behavior of scanners, particularly those doing a non-SYN scan. They would get RST's on every single port with the ipf code, while the ipfw code would let every scanned packet and response through. (This, of course, is not to say that you can't get ipfw to return RST's on all those ports in a similar situation, but you certainly don't do it with "setup" and "established" The "established" and "setup" keywords essentially mean anything with RST or ACK and anything with SYN but not ACK respectively. One could quite easily scan through a firewall setup this way by sending packets that look like they are part of an established session. With these ipfw keywords there is *absolutely no state keeping of any sort*. There are ways to keep state with ipfw, inquire in your local manpages. It's also worth noting that you may want something different than flags S there in your ipf thingy... check the ipf-howto for reasons why. > I have heard from the IPF community that a "allow tcp from any to any > established" can be spoofed. Don't they need the right sequence number to do > that? I mean, to send packets to my machine "claiming" to already > be established to a private port? No, as I briefly explained above. "established" and "setup" do no state keeping whatsoever. They simply look at the TCP flags which can be set any which way by a malicious transmitter. They don't care what the sequence number is at all. As long as they have RST or ACK set, they get through. Think of those keywords as short hand for tcpflags ack (or rst) and tcpflags syn,!ack. > If so, then why is the /etc/rc.firewall > script written this way? There must be a reason. Also, Which one is faster > at matching packets on average? It depends heavily on the ruleset I imagine. Search the list archives for various discussions/flamefests about which is better. -- William Carrel | Sr. Systems Engineer | william.carrel@infospace.com InfoSpace INC 601 108th Ave NE | Suite 1200 | Bellevue, WA 98004 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B937B780.11219%william.carrel>