src/etc/rc.firewall simple ${fw_pass} tcp from any to anyestablished

Alexander Leidinger Alexander at Leidinger.net
Sat Nov 11 20:33:02 UTC 2006 

Quoting "R. B. Riddick" <arne_woerner at yahoo.com> (from Sat, 11 Nov  
2006 11:00:49 -0800 (PST)):

> --- "Julian H. Stacey" <jhs at flat.berklix.net> wrote:
>> I tried adding
>> 	${fwcmd} add pass tcp from any to any established
>> from src/etc/rc.firewall case - simple. Which solved it.
>> But I was scared, not undertstand what the established bit did, &
>> how easily an attacker might fake something, etc.
>> I found adding these tighter rules instead worked for me
>> 	${fwcmd} tcp from any http to me established in via tun0
>> 	${fwcmd} tcp from me to any http established out via tun0
>> Should I still be worrying about 	established ?
>>
> Hmm... I personally use "check-states" and "keep-state", so that it is not
> enough to fake the "established" flags, but the attacker had to know  
>  the ports,
> the IPs, control over routing in pub inet(?) and some little secrets  
>  in the TCP
> headers (I dont know exactly how it works):
>  add check-state
>  add pass     icmp from any to any        keep-state out xmit tun0
>  add pass     tcp  from any to any  setup keep-state out xmit tun0
>  add pass     udp  from any to any domain keep-state out xmit tun0

These are the stats of the first 7 rules on my DSL line afer one day:
00100 6423992  376898110 allow ip from any to any via lo0
00200       0          0 deny ip from any to 127.0.0.0/8
00300       0          0 deny ip from 127.0.0.0/8 to any
20000       0          0 check-state
30000   10013    1047483 deny tcp from any to any established
30100     226      45640 deny ip from any to any not verrevpath in
30200       7        280 deny tcp from any to any tcpoptions !mss setup

Another nice rule (stats after one day):
30800 3149862  117471324 deny ip from any to  
0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 via tun0

Bye,
Alexander.

-- 
Committees have become so important nowadays that subcommittees have to
be appointed to do the work.

http://www.Leidinger.net    Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org       netchild @ FreeBSD.org  : PGP ID = 72077137

More information about the freebsd-security mailing list