From owner-freebsd-security@FreeBSD.ORG Sat Nov 11 16:08:31 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0AFCF16A416 for ; Sat, 11 Nov 2006 16:08:31 +0000 (UTC) (envelope-from jhs@flat.berklix.net) Received: from thin.berklix.org (thin.berklix.org [194.246.123.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F03E43D5D for ; Sat, 11 Nov 2006 16:08:29 +0000 (GMT) (envelope-from jhs@flat.berklix.net) Received: from js.berklix.net (p549A59E6.dip.t-dialin.net [84.154.89.230]) (authenticated bits=128) by thin.berklix.org (8.12.11/8.12.11) with ESMTP id kABG8RA1042127 for ; Sat, 11 Nov 2006 17:08:28 +0100 (CET) (envelope-from jhs@flat.berklix.net) Received: from fire.jhs.private (fire.jhs.private [192.168.91.41]) by js.berklix.net (8.13.6/8.13.6) with ESMTP id kABG8QRE011559 for ; Sat, 11 Nov 2006 17:08:27 +0100 (CET) (envelope-from jhs@flat.berklix.net) Received: from fire.jhs.private (localhost [127.0.0.1]) by fire.jhs.private (8.13.6/8.13.6) with ESMTP id kABG8WRn069267 for ; Sat, 11 Nov 2006 17:08:32 +0100 (CET) (envelope-from jhs@fire.jhs.private) Message-Id: <200611111608.kABG8WRn069267@fire.jhs.private> To: freebsd-security@freebsd.org In-reply-to: <4555E508.1090705@FreeBSD.org> References: <200611111442.kABEg4xT068699@fire.jhs.private> <4555E508.1090705@FreeBSD.org> Comments: In-reply-to Remko Lodder message dated "Sat, 11 Nov 2006 15:58:16 +0100." Date: Sat, 11 Nov 2006 17:08:32 +0100 From: "Julian H. Stacey" X-Mailman-Approved-At: Sat, 11 Nov 2006 16:16:54 +0000 Subject: src/etc/rc.firewall simple ${fw_pass} tcp from any to any established X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Nov 2006 16:08:31 -0000 Hi security@ list, In my self written, large ipfw rule set, I had something that passed http to allow me to browse most but not all remote sites. For years I assumed the few sites I had difficulty with were cases pppoed MTU != 1500, from not having installed tcpmssd on my 4.*-RELEASE, but then running 6.1-RELEASE I realised that wasn't the problem. http://www.web.de Still failed, & http://www.sueddeutsche.de Was slow. I tried adding ${fwcmd} add pass tcp from any to any established from src/etc/rc.firewall case - simple. Which solved it. But I was scared, not undertstand what the established bit did, & how easily an attacker might fake something, etc. I found adding these tighter rules instead worked for me ${fwcmd} tcp from any http to me established in via tun0 ${fwcmd} tcp from me to any http established out via tun0 Should I still be worrying about established ? Julian -- Julian Stacey. BSD Unix C Net Consultancy, Munich/Muenchen http://berklix.com Mail Ascii, not HTML. Ihr Rauch = mein allergischer Kopfschmerz. http://berklix.org/free-software