Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 11 Nov 2006 20:05:17 +0100
From:      Giorgos Keramidas <keramida@ceid.upatras.gr>
To:        "Julian H. Stacey" <jhs@flat.berklix.net>
Cc:        freebsd-security@freebsd.org
Subject:   Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to any	established
Message-ID:  <20061111190517.GB1158@kobe.laptop>
In-Reply-To: <200611111608.kABG8WRn069267@fire.jhs.private>
References:  <200611111442.kABEg4xT068699@fire.jhs.private> <4555E508.1090705@FreeBSD.org> <200611111608.kABG8WRn069267@fire.jhs.private>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 2006-11-11 17:08, "Julian H. Stacey" <jhs@flat.berklix.net> wrote:
> Hi security@ list,
> In my self written, large ipfw rule set, I had something that passed
> http to allow me to browse most but not all remote sites. For years
> I assumed the few sites I had difficulty with were cases pppoed MTU
> != 1500, from not having installed tcpmssd on my 4.*-RELEASE, but
> then running 6.1-RELEASE I realised that wasn't the problem.
>
> 	http://www.web.de		Still failed, &
> 	http://www.sueddeutsche.de	Was slow.
>
> I tried adding
>
> 	${fwcmd} add pass tcp from any to any established
>
> from src/etc/rc.firewall case - simple. Which solved it.
> But I was scared, not undertstand what the established bit did, &
> how easily an attacker might fake something, etc.
> I found adding these tighter rules instead worked for me
>
> 	${fwcmd} tcp from any http to me established in via tun0
> 	${fwcmd} tcp from me to any http established out via tun0
>
> Should I still be worrying about 	established ?

In general, I prefer stateful rulesets, which eliminate the need for
'established' rules.  This would be something like:

    ${fwcmd} check-state
    ${fwcmd} tcp from me to any http out via tun0 keep-state
    ${fwcmd} tcp from me to any ssh  out via tun0 keep-state
    [...]

This may create problems with connections whose entries time out before
something is received back from the other end, but IMHO this is much
better than the possibility of someone 'abusing' the 'established' check
to poke holes through the firewall ruleset.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061111190517.GB1158>