Date: Sat, 11 Nov 2006 11:00:49 -0800 (PST)
From: "R. B. Riddick" <arne_woerner@yahoo.com>
To: "Julian H. Stacey" <jhs@flat.berklix.net>, freebsd-security@freebsd.org
Subject: Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to any established
Message-ID: <216597.35069.qm@web30315.mail.mud.yahoo.com>
In-Reply-To: <200611111608.kABG8WRn069267@fire.jhs.private>
next in thread | previous in thread | raw e-mail | index | archive | help
--- "Julian H. Stacey" <jhs@flat.berklix.net> wrote:
> I tried adding
> ${fwcmd} add pass tcp from any to any established
> from src/etc/rc.firewall case - simple. Which solved it.
> But I was scared, not undertstand what the established bit did, &
> how easily an attacker might fake something, etc.
> I found adding these tighter rules instead worked for me
> ${fwcmd} tcp from any http to me established in via tun0
> ${fwcmd} tcp from me to any http established out via tun0
> Should I still be worrying about established ?
>
Hmm... I personally use "check-states" and "keep-state", so that it is not
enough to fake the "established" flags, but the attacker had to know the ports,
the IPs, control over routing in pub inet(?) and some little secrets in the TCP
headers (I dont know exactly how it works):
add check-state
add pass icmp from any to any keep-state out xmit tun0
add pass tcp from any to any setup keep-state out xmit tun0
add pass udp from any to any domain keep-state out xmit tun0
Furthermore I use pf on the same box, too, so that a bug in ipfw is not
enough... :-)
-Arne
____________________________________________________________________________________
Yahoo! Music Unlimited
Access over 1 million songs.
http://music.yahoo.com/unlimited
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?216597.35069.qm>