Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 5 Dec 1999 21:41:52 -0800
From:      Gregory Sutter <gsutter@pobox.com>
To:        Brian Gallucci <galluccib@yahoo.ie>
Cc:        freebsd-ipfw@FreeBSD.ORG
Subject:   Re: IPFW established
Message-ID:  <19991205214151.Y94590@azazel.zer0.org>
In-Reply-To: <19991206011409.10981.qmail@web3005.mail.yahoo.com>
References:  <19991206011409.10981.qmail@web3005.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, Dec 05, 1999 at 05:14:09PM -0800, Brian Gallucci wrote:
> I just have one question about the established command
> in rc.firewall. 
> 
> I have heard that if we add  -> 
> $fwcmd add pass tcp from any to any established 
> $fwcmd add pass tcp from any to any 20 setup 
> $fwcmd add pass tcp from any to any 21 setup 
> $fwcmd add pass tcp from any to any 80 setup 
> vs 
> $fwcmd add pass tcp from any 20 to any 
> $fwcmd add pass tcp from any to any 20 
> $fwcmd add pass tcp from any 21 to any 
> $fwcmd add pass tcp from any to any 21 
> 
> Using the established command will give us better
> performance on the firewall, is this correct ? 

Using the 'established' keyword in this way will stop processing of
the firewall rules at that rule, thus saving however-many ns it takes
to process the remaining rules in ipfw.  Unless there are many rules,
the savings is pretty negligible.

Using the first set of rules instead of the second also closes a 
MAJOR hole.  With the second set of rules in place, a person could
make a connection from port 20 on their machine (which they control)
to _any_ port on a machine behind the firewall.  You _cannot_ use
source port filtering as a means of access control, since the 
controller of the source host can use any port that they choose.

Regards,

Greg
-- 
Gregory S. Sutter                  Failing sardine factory cans employees!
mailto:gsutter@pobox.com
http://www.pobox.com/~gsutter/
PGP DSS public key 0x40AE3052


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991205214151.Y94590>