From owner-freebsd-security@FreeBSD.ORG Sat Nov 11 22:04:16 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A317116A407 for ; Sat, 11 Nov 2006 22:04:16 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8BAD443D53 for ; Sat, 11 Nov 2006 22:04:14 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from kobe.laptop (host155-42.pool8174.interbusiness.it [81.74.42.155] (may be forged)) (authenticated bits=128) by igloo.linux.gr (8.13.8/8.13.8/Debian-2) with ESMTP id kABM3YOe012598 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 12 Nov 2006 00:03:39 +0200 Received: from kobe.laptop (kobe.laptop [127.0.0.1]) by kobe.laptop (8.13.8/8.13.8) with ESMTP id kABM3RnP001794; Sat, 11 Nov 2006 23:03:29 +0100 (CET) (envelope-from keramida@ceid.upatras.gr) Received: (from keramida@localhost) by kobe.laptop (8.13.8/8.13.8/Submit) id kABJ5HTc001275; Sat, 11 Nov 2006 20:05:17 +0100 (CET) (envelope-from keramida@ceid.upatras.gr) Date: Sat, 11 Nov 2006 20:05:17 +0100 From: Giorgos Keramidas To: "Julian H. Stacey" Message-ID: <20061111190517.GB1158@kobe.laptop> References: <200611111442.kABEg4xT068699@fire.jhs.private> <4555E508.1090705@FreeBSD.org> <200611111608.kABG8WRn069267@fire.jhs.private> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200611111608.kABG8WRn069267@fire.jhs.private> X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (score=-1.985, required 5, autolearn=not spam, AWL 0.48, BAYES_00 -2.60, FORGED_RCVD_HELO 0.14, UNPARSEABLE_RELAY 0.00) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr X-Spam-Status: No Cc: freebsd-security@freebsd.org Subject: Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to any established X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Nov 2006 22:04:16 -0000 On 2006-11-11 17:08, "Julian H. Stacey" wrote: > Hi security@ list, > In my self written, large ipfw rule set, I had something that passed > http to allow me to browse most but not all remote sites. For years > I assumed the few sites I had difficulty with were cases pppoed MTU > != 1500, from not having installed tcpmssd on my 4.*-RELEASE, but > then running 6.1-RELEASE I realised that wasn't the problem. > > http://www.web.de Still failed, & > http://www.sueddeutsche.de Was slow. > > I tried adding > > ${fwcmd} add pass tcp from any to any established > > from src/etc/rc.firewall case - simple. Which solved it. > But I was scared, not undertstand what the established bit did, & > how easily an attacker might fake something, etc. > I found adding these tighter rules instead worked for me > > ${fwcmd} tcp from any http to me established in via tun0 > ${fwcmd} tcp from me to any http established out via tun0 > > Should I still be worrying about established ? In general, I prefer stateful rulesets, which eliminate the need for 'established' rules. This would be something like: ${fwcmd} check-state ${fwcmd} tcp from me to any http out via tun0 keep-state ${fwcmd} tcp from me to any ssh out via tun0 keep-state [...] This may create problems with connections whose entries time out before something is received back from the other end, but IMHO this is much better than the possibility of someone 'abusing' the 'established' check to poke holes through the firewall ruleset.