Date: Thu, 07 Jun 2001 19:31:59 -0400 From: Bill Moran <wmoran@iowna.com> To: patl@Phoenix.Volant.ORG Cc: Josh Thomas <jdt2101@ksu.edu>, freebsd-questions@freebsd.org Subject: Re: IPFW rules and outward connections Message-ID: <3B200EEF.86F950D1@iowna.com> References: <ML-3.4.991954966.2085.patl@asimov.phoenix.volant.org>
next in thread | previous in thread | raw e-mail | index | archive | help
patl@Phoenix.Volant.ORG wrote: > > Will allow the IP listed to initiate a ssh connection to anyone or > > receive a ssh connection from anyone, while the second rule ensures that > > the connection can continue to communicate and the final rule blocks > > anything that doesn't fit into the first category. > > tcp communications must establish themselves, therefore anything that is > > not specifically allowed to "setup" will never get to the "established" > > state. (it's probably best, for speed, to always put the "established" > > rule near the beginning of your ruleset) > > But some l33t h4x0r can craft bogus packets which -claim- to be part > of a non-existant established connection. ph33r m3!!! :p ... silly h4x0r5p33k. I'm curious, then. Do you feel that dynamic rules are more secure then? So far it appears the ipfw rulesets I've put together have scared off anyone with malicious intent, as I've not yet had a break-in. But that doesn't mean my boxes are 100%. Really, just about any ruleset can be breached by someone with enough time/knowledge. Do you know of any way that a forged established-connection packet can do anything more than DoS? There are other defenses to be taken against DoS, such as rate limiting, etc. Don't mean to take this off-topic (am I?) but I'm alway on the lookout to see what more I can learn about security. -Bill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B200EEF.86F950D1>