Date: Wed, 17 Feb 1999 08:48:50 -0600 From: Guy Helmer <ghelmer@scl.ameslab.gov> To: Dave Richards <dave@richcon.com> Cc: freebsd-questions@freebsd.org Subject: Re: "established" firewall rule Message-ID: <Pine.SGI.4.05.9902170831210.2351-100000@demios.scl.ameslab.gov> In-Reply-To: <36CA32D3.FB01EAE5@richcon.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 16 Feb 1999, Dave Richards wrote: > Hi All, > I was recently the victim of a security breach on my FreeBSD 2.5 box > (the fault of Qualcomm's Qpopper 2.4 daemon, NOT FreeBSD). It was not > pretty.. trojan horse programs all over... As a result, I reinstalled > with 2.8 and a firewall-enabled kernel. I think it's pretty secure now, > except for one question: > > Can packets matching the "established" firewall rule be forged? I put > the following line early in my firewall to improve performance: > > ipfw allow tcp from any to any established > > ....but I'm still a little worried that some crackerjack can forge > packets by setting the RST or ACK bits in his packets to fool the > firewall. Is this do-able??? Thanks for any insights... Any TCP segment without the SYN bit set could get through this rule. A TCP connection can only be initiated by a packet with the SYN bit set, so this rule won't allow an attacker to connect to arbitrary ports on your machine. The "established" rule will allow stealth scanning (sending packets without the SYN bit set to arbitrary ports on your machine to probe what your machine is doing), but you can reduce your exposure by not running services you don't need (such as rsh/rlogin/rexec, telnet, ftp, etc.). Depending on your rules, the established rule could allow outgoing connections that you wouldn't ordinarily allow, such as if your rules otherwise allow outgoing connections only to certain ports (e.g., port 80); arranging your rules properly should avoid this possibility. If there are other significant exposures due to the "established" rule, I'd like to hear someone else chime in about them. Guy Guy Helmer, Ph.D. Candidate, Iowa State University Dept. of Computer Science Research Assistant, Ames Laboratory --- ghelmer@scl.ameslab.gov Research Assistant, Dept. of Computer Science --- ghelmer@cs.iastate.edu http://www.cs.iastate.edu/~ghelmer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SGI.4.05.9902170831210.2351-100000>