Date: Thu, 12 Sep 2002 18:14:57 -0400 From: Chuck Swiger <cswiger@mac.com> To: <freebsd-security@FreeBSD.ORG> Subject: Re: ipfw, natd, and keep-state - strange behavior? Message-ID: <12908E71-C69D-11D6-90D4-000A27D85A7E@mac.com> In-Reply-To: <20020912144554.L3276-100000@walter>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday, September 12, 2002, at 05:50 PM, Jason Stone wrote:
>> Nope. While I prefer to use a proxy to centralize web access to the
>> outside via my interior firewall, you can also do something like:
>>
>> add pass tcp from $INET $HIPORTS to any 80,443
>> add pass tcp from any 80,433 to $INET $HIPORTS established
>>
>> Without performing the TCP 3-way startup (starting with a packet with
>> SYN=
>> 1 and ACK=0), the TCP sequence numbers won't match and the client being
>> scanned from some random external IP will simply drop the invalid
>> connection attempt.
>
> Yes, unless of course the client has a broken tcp stack (think teardrop).
>
> Having the firewall permit such packets and counting on the client to
> correctly discard them is probably a bad idea - after all, if you trust
> the clients to run a properly configured and non-broken OS, why have a
> firewall at all?
Defense in depth.
I attempt to configure client machines to be secure as if there was no
firewall at all. So, if the firewall or the rules have bugs, or if
someone routes around the firewall via a modem (or wireless, etc), you
still have some level of internal security available as well.
> Packets that the client is just going to discard anyway should certainly
> be discarded by the firewall, and this is exactly what the
> keep-state/check-state rules do for you.
What happens if the packets don't go through the dynamic firewall?
Or are sent in response to an internal request and dynamicly permitted
through?
Why would someone make a request to a bad site? Well, has anyone ever
received spam email which contained hyperlinks? Even if you don't use a
MUA which automaticly downloads links yourself, lots of people do. People
using dynamic firewalls tend to not pay much attention to egress filtering.
Presuming that you should permit responses to internal requests because
internally-initiated requests are supposed to be "safer" is an assumption
that I question.
-Chuck
Chuck Swiger | chuck@codefab.com | All your packets are belong to
us.
-------------+-------------------+-----------------------------------
"The human race's favorite method for being in control of the facts
is to ignore them." -Celia Green
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?12908E71-C69D-11D6-90D4-000A27D85A7E>