Date: Tue, 16 Jul 2002 11:39:45 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: "Dmitry S. Rzhavin" <dima@rt.ru> Cc: security@FreeBSD.ORG Subject: Re: ipfw and keep-state Message-ID: <20020716183945.GA20381@blossom.cjclark.org> In-Reply-To: <3D32EEBD.E66100A1@rt.ru> References: <3D32D849.E3D8F2BE@rt.ru> <xzp1ya583vj.fsf@flood.ping.uio.no> <3D32EEBD.E66100A1@rt.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jul 15, 2002 at 07:48:13PM +0400, Dmitry S. Rzhavin wrote:
> Dag-Erling Smorgrav wrote:
> >
> > "Dmitry S. Rzhavin" <dima@rt.ru> writes:
> > > 10 pass tcp from any to ip2 in keep-state setup
> > > ... nothing interesting here
> > > 20 deny tcp from any to ip2
> > >
> > >
> > > Or, in other words, I want to pre-auth some packet with rile 10 to
> > > check it later. Then, I decide to drop it.
> > > But ipfw creates dynamic rule "inet <-> ip1" and passes this
> > > session. I think this is not good. Why does ipfw works this way?
> >
> > That's what you asked it to do. Rule 10 basically says "if the packet
> > is a tcp SYN packet destined for ip2, stop examining it, let it
> > through
>
> nonono! Rule 10 says "let it _in_", not out! Or:
>
> --------------
> -------- |IPFW is here|
> |packet|==[flows in]=>in_if---- out_if
> -------- |packet|==>X |
> --------------
> fly in is allowed ^^^ ^^^ packet dies here
>
> So, I expect (at least) dynamic rule to be "pass ip from inet to ip1 _in_".
> Or, as the best solution, rule "in" creates dynamic candidate, and stateful
> dynamic rule is created only if packet is allowed to go out. If packet dies
> inside ipfw, rule dies too.
> So, the question is: why this is bad? Why FreeBSD Team choosed to create
> dynamic rule "in/out" for "in" static rule? Is it a bug, or a feature?
For TCP and UDP packets, a 'keep-state' rule will create a dynamic
rule that matches packets with the same set of IP-port pairs coming or
going on any interface.
Why is it done this way? That's how the original 'keep-state' hack was
done. Off of the top of my head, I can't think of firewall software
that doesn't work this way.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020716183945.GA20381>