src/etc/rc.firewall simple ${fw_pass} tcp from any to
anyestablished
Michal Mertl
mime at traveller.cz
Sun Nov 12 17:19:48 UTC 2006
Alexander Leidinger píše v so 11. 11. 2006 v 21:32 +0100:
> Quoting "R. B. Riddick" <arne_woerner at yahoo.com> (from Sat, 11 Nov
> 2006 11:00:49 -0800 (PST)):
>
> > --- "Julian H. Stacey" <jhs at flat.berklix.net> wrote:
> >> I tried adding
> >> ${fwcmd} add pass tcp from any to any established
> >> from src/etc/rc.firewall case - simple. Which solved it.
> >> But I was scared, not undertstand what the established bit did, &
> >> how easily an attacker might fake something, etc.
> >> I found adding these tighter rules instead worked for me
> >> ${fwcmd} tcp from any http to me established in via tun0
> >> ${fwcmd} tcp from me to any http established out via tun0
> >> Should I still be worrying about established ?
> >>
> > Hmm... I personally use "check-states" and "keep-state", so that it is not
> > enough to fake the "established" flags, but the attacker had to know
> > the ports,
> > the IPs, control over routing in pub inet(?) and some little secrets
> > in the TCP
> > headers (I dont know exactly how it works):
> > add check-state
> > add pass icmp from any to any keep-state out xmit tun0
> > add pass tcp from any to any setup keep-state out xmit tun0
> > add pass udp from any to any domain keep-state out xmit tun0
>
> These are the stats of the first 7 rules on my DSL line afer one day:
> 00100 6423992 376898110 allow ip from any to any via lo0
> 00200 0 0 deny ip from any to 127.0.0.0/8
> 00300 0 0 deny ip from 127.0.0.0/8 to any
> 20000 0 0 check-state
> 30000 10013 1047483 deny tcp from any to any established
> 30100 226 45640 deny ip from any to any not verrevpath in
> 30200 7 280 deny tcp from any to any tcpoptions !mss setup
>
> Another nice rule (stats after one day):
> 30800 3149862 117471324 deny ip from any to
> 0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 via tun0
I am using something similar (with table instead of list filled from
http://www.cymru.com/Documents/bogon-bn-agg.txt ).
Your number seem to be extremely high to me - I have it on a router with
thousands of public IPs behind it and see nowhere as many hits.
Michal
This is pretty unbelievable to me as I have similar (and more
encompassing) rule on a router serving thousands of
>
> Bye,
> Alexander.
>
More information about the freebsd-security
mailing list