From owner-freebsd-security@FreeBSD.ORG  Sat Nov 11 19:01:03 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8425A16A40F
	for <freebsd-security@freebsd.org>;
	Sat, 11 Nov 2006 19:01:03 +0000 (UTC)
	(envelope-from arne_woerner@yahoo.com)
Received: from web30315.mail.mud.yahoo.com (web30315.mail.mud.yahoo.com
	[209.191.69.77]) by mx1.FreeBSD.org (Postfix) with SMTP id 443E643D62
	for <freebsd-security@freebsd.org>;
	Sat, 11 Nov 2006 19:00:49 +0000 (GMT)
	(envelope-from arne_woerner@yahoo.com)
Received: (qmail 36340 invoked by uid 60001); 11 Nov 2006 19:00:49 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
	h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
	b=5Xb8cJKCGhB+VPSlSfQVOobo/2XWLaED0dOnRmBmqqT7XESxYiMqUOF4QjODqX4Rdsd8fjHbbcL5cBuNj21PvrCZ9K4RfH8yF1yLXqEtpOwC/vi+8TB9mjbdIiCpIs35R+/2puYw6LgH2HG3imwVw8OXo1v/IrVK/uP36CEXFxo=;
X-YMail-OSG: V1pxCKwVM1kgo39OqFczS4K9gOPYtua6SwRYel6YW1v3bwyjqm3_2hC6UqyTiMw.WSHI.FXcta8x7xRgj4IPSdfN9TV.l_yuNQhV2DBhW1IiH7WW98scxZ1VpE0WN9Lw61OCsGIPnCphQCBCigfmY03sQTQ6pTWoNAu42nlFJrvikZdZKXMjWVU8FhKw1iM_MKmzI4gEcRCCUo8-
Received: from [213.54.145.48] by web30315.mail.mud.yahoo.com via HTTP;
	Sat, 11 Nov 2006 11:00:49 PST
Date: Sat, 11 Nov 2006 11:00:49 -0800 (PST)
From: "R. B. Riddick" <arne_woerner@yahoo.com>
To: "Julian H. Stacey" <jhs@flat.berklix.net>, freebsd-security@freebsd.org
In-Reply-To: <200611111608.kABG8WRn069267@fire.jhs.private>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-ID: <216597.35069.qm@web30315.mail.mud.yahoo.com>
Cc: 
Subject: Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to any
	established 
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Nov 2006 19:01:03 -0000

--- "Julian H. Stacey" <jhs@flat.berklix.net> wrote:
> I tried adding 
> 	${fwcmd} add pass tcp from any to any established
> from src/etc/rc.firewall case - simple. Which solved it.
> But I was scared, not undertstand what the established bit did, &
> how easily an attacker might fake something, etc.
> I found adding these tighter rules instead worked for me
> 	${fwcmd} tcp from any http to me established in via tun0
> 	${fwcmd} tcp from me to any http established out via tun0
> Should I still be worrying about 	established ?
> 
Hmm... I personally use "check-states" and "keep-state", so that it is not
enough to fake the "established" flags, but the attacker had to know the ports,
the IPs, control over routing in pub inet(?) and some little secrets in the TCP
headers (I dont know exactly how it works):
 add check-state
 add pass     icmp from any to any        keep-state out xmit tun0
 add pass     tcp  from any to any  setup keep-state out xmit tun0
 add pass     udp  from any to any domain keep-state out xmit tun0

Furthermore I use pf on the same box, too, so that a bug in ipfw is not
enough... :-)

-Arne


 
____________________________________________________________________________________
Yahoo! Music Unlimited
Access over 1 million songs.
http://music.yahoo.com/unlimited