Date: Fri, 21 Jun 2002 17:35:21 +1200 (NZST) From: Andrew McNaughton <andrew@scoop.co.nz> To: "Dalin S. Owen" <dowen@nexusxi.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW/IPF Setup/Established Message-ID: <20020621171329.C32663-100000@a2> In-Reply-To: <20020620171111.A24480@nexusxi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 20 Jun 2002, Dalin S. Owen wrote: > I have heard from the IPF community that a "allow tcp from any to any > established" can be spoofed. Don't they need the right sequence number > to do that? I mean, to send packets to my machine "claiming" to already > be established to a private port? If so, then why is the > /etc/rc.firewall script written this way? There must be a reason. > Also, Which one is faster at matching packets on average? You can't initiate a new TCP session if the SYN packet is blocked. I'd guess that the point of said spoofing would be for port scanning. eg this rule: ipfw deny tcp from any to any in via ep0 setup does not prevent TCP port scanning. eg: nmap -P0 -sN <host> Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020621171329.C32663-100000>