From owner-freebsd-bugs Mon Jul 30 4: 0: 8 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 2D00B37B403 for ; Mon, 30 Jul 2001 04:00:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f6UB02b52056; Mon, 30 Jul 2001 04:00:02 -0700 (PDT) (envelope-from gnats) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 411C637B401 for ; Mon, 30 Jul 2001 03:53:43 -0700 (PDT) (envelope-from nobody@FreeBSD.org) Received: (from nobody@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f6UArhD50612; Mon, 30 Jul 2001 03:53:43 -0700 (PDT) (envelope-from nobody) Message-Id: <200107301053.f6UArhD50612@freefall.freebsd.org> Date: Mon, 30 Jul 2001 03:53:43 -0700 (PDT) From: David Newall To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: kern/29323: ipfw's "established" option incorrectly passes packets with ECN-Echo flag set Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 29323 >Category: kern >Synopsis: ipfw's "established" option incorrectly passes packets with ECN-Echo flag set >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jul 30 04:00:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: David Newall >Release: 4.2-RELEASE >Organization: Tellurian Pty Ltd >Environment: FreeBSD custfw.tellurian.com.au 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Mon Nov 20 13:02:55 GMT 2000 jkh@bento.FreeBSD.org:/usr/src/sys/compile/GENERIC i386 >Description: Ipfw rules that specify "established" TCP packets incorrectly match packets with the ECN-Echo flag set (see RFC 2481). This type of rule is sometimes used to permit unrestricted "outbound" and restricted "inbound" connections. Intruders can exploit this fault to penetrate a firewall that is so configured. >How-To-Repeat: Create an ipfw incorporating the following general rules: ... accept tcp from TARGET to SECURE established deny tcp from TARGET to SECURE ... then attempt to connect from TARGET to SECURE having set tcp flag 0x40. >Fix: There are a number of good ways to fix the problem. 1. Modify ip_fw.h, ip_fw.c and ipfw.c so that IP_FW_TCPF_ESTAB is not stored in fw_tcpf (best solution); 2. Modify ip_fw.c so that rules with IP_FW_TCPF_ESTAB set return 0 if neither the RST nor ACK flags are set (acceptable, but will need rework when the number of allocated flags exceeds 8); or 3. Modify ipfw.c to set fw_tcpnf to -1 (work around). An acceptable work-around is to modify ipfw.c, appending rule.fw_tcpnf = 1; after line 1896, which reads rule.fw_tcpf |= IP_FW_TCPF_ESTAB; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message