src/etc/rc.firewall simple ${fw_pass} tcp from any to anyestablished

Michal Mertl mime at traveller.cz
Sun Nov 12 17:19:48 UTC 2006 

Alexander Leidinger píše v so 11. 11. 2006 v 21:32 +0100:
> Quoting "R. B. Riddick" <arne_woerner at yahoo.com> (from Sat, 11 Nov  
> 2006 11:00:49 -0800 (PST)):
> 
> > --- "Julian H. Stacey" <jhs at flat.berklix.net> wrote:
> >> I tried adding
> >> 	${fwcmd} add pass tcp from any to any established
> >> from src/etc/rc.firewall case - simple. Which solved it.
> >> But I was scared, not undertstand what the established bit did, &
> >> how easily an attacker might fake something, etc.
> >> I found adding these tighter rules instead worked for me
> >> 	${fwcmd} tcp from any http to me established in via tun0
> >> 	${fwcmd} tcp from me to any http established out via tun0
> >> Should I still be worrying about 	established ?
> >>
> > Hmm... I personally use "check-states" and "keep-state", so that it is not
> > enough to fake the "established" flags, but the attacker had to know  
> >  the ports,
> > the IPs, control over routing in pub inet(?) and some little secrets  
> >  in the TCP
> > headers (I dont know exactly how it works):
> >  add check-state
> >  add pass     icmp from any to any        keep-state out xmit tun0
> >  add pass     tcp  from any to any  setup keep-state out xmit tun0
> >  add pass     udp  from any to any domain keep-state out xmit tun0
> 
> These are the stats of the first 7 rules on my DSL line afer one day:
> 00100 6423992  376898110 allow ip from any to any via lo0
> 00200       0          0 deny ip from any to 127.0.0.0/8
> 00300       0          0 deny ip from 127.0.0.0/8 to any
> 20000       0          0 check-state
> 30000   10013    1047483 deny tcp from any to any established
> 30100     226      45640 deny ip from any to any not verrevpath in
> 30200       7        280 deny tcp from any to any tcpoptions !mss setup
> 
> Another nice rule (stats after one day):
> 30800 3149862  117471324 deny ip from any to  
> 0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 via tun0

I am using something similar (with table instead of list filled from
http://www.cymru.com/Documents/bogon-bn-agg.txt ).

Your number seem to be extremely high to me - I have it on a router with
thousands of public IPs behind it and see nowhere as many hits.

Michal


This is pretty unbelievable to me as I have similar (and more
encompassing) rule on a router serving thousands of 

> 
> Bye,
> Alexander.
>

More information about the freebsd-security mailing list