Date: Thu, 7 Jun 2001 16:02:46 -0700 (PDT) From: patl@Phoenix.Volant.ORG To: Bill Moran <wmoran@iowna.com> Cc: Josh Thomas <jdt2101@ksu.edu>, freebsd-questions@freebsd.org Subject: Re: IPFW rules and outward connections Message-ID: <ML-3.4.991954966.2085.patl@asimov.phoenix.volant.org> In-Reply-To: <3B1FE973.AE494B0D@iowna.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 7-Jun-01 at 13:54, Bill Moran (wmoran@iowna.com) wrote: > ... Basically, if some other > rule in your ruleset allows an internal machine to establish a > connection, this rule will allow the machines that are part of the > connection to continue to communicate. More accurately, it will allow any incoming packet with the header flags set in such a manner that it -claims- to be part of an established connection. Even if the connection is now closed, or never existed at all. This is used for some types of Denial Of Service attacks and stealth port scans. > The opposite of established is setup, for example: > > allow tcp from 192.168.5.73 to any 22 setup > allow tcp from any to 192.168.5.73 22 setup > allow tcp from any to any established > deny tcp from any to any > > Will allow the IP listed to initiate a ssh connection to anyone or > receive a ssh connection from anyone, while the second rule ensures that > the connection can continue to communicate and the final rule blocks > anything that doesn't fit into the first category. > tcp communications must establish themselves, therefore anything that is > not specifically allowed to "setup" will never get to the "established" > state. (it's probably best, for speed, to always put the "established" > rule near the beginning of your ruleset) But some l33t h4x0r can craft bogus packets which -claim- to be part of a non-existant established connection. -Pat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ML-3.4.991954966.2085.patl>