From owner-freebsd-security Thu Jun 20 22:35:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id E9CF337B41E for ; Thu, 20 Jun 2002 22:35:22 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g5L5ZLhg033163; Fri, 21 Jun 2002 17:35:21 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Fri, 21 Jun 2002 17:35:21 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: "Dalin S. Owen" Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW/IPF Setup/Established In-Reply-To: <20020620171111.A24480@nexusxi.com> Message-ID: <20020621171329.C32663-100000@a2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 20 Jun 2002, Dalin S. Owen wrote: > I have heard from the IPF community that a "allow tcp from any to any > established" can be spoofed. Don't they need the right sequence number > to do that? I mean, to send packets to my machine "claiming" to already > be established to a private port? If so, then why is the > /etc/rc.firewall script written this way? There must be a reason. > Also, Which one is faster at matching packets on average? You can't initiate a new TCP session if the SYN packet is blocked. I'd guess that the point of said spoofing would be for port scanning. eg this rule: ipfw deny tcp from any to any in via ep0 setup does not prevent TCP port scanning. eg: nmap -P0 -sN Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message