src/etc/rc.firewall simple ${fw_pass} tcp from any to
anyestablished
Alexander Leidinger
Alexander at Leidinger.net
Sun Nov 12 17:34:04 UTC 2006
Quoting Michal Mertl <mime at traveller.cz> (Sun, 12 Nov 2006 18:19:03 +0100):
> Alexander Leidinger píše v so 11. 11. 2006 v 21:32 +0100:
> > Quoting "R. B. Riddick" <arne_woerner at yahoo.com> (from Sat, 11 Nov
> > 2006 11:00:49 -0800 (PST)):
> >
> > > --- "Julian H. Stacey" <jhs at flat.berklix.net> wrote:
> > >> I tried adding
> > >> ${fwcmd} add pass tcp from any to any established
> > >> from src/etc/rc.firewall case - simple. Which solved it.
> > >> But I was scared, not undertstand what the established bit did, &
> > >> how easily an attacker might fake something, etc.
> > >> I found adding these tighter rules instead worked for me
> > >> ${fwcmd} tcp from any http to me established in via tun0
> > >> ${fwcmd} tcp from me to any http established out via tun0
> > >> Should I still be worrying about established ?
> > >>
> > > Hmm... I personally use "check-states" and "keep-state", so that it is not
> > > enough to fake the "established" flags, but the attacker had to know
> > > the ports,
> > > the IPs, control over routing in pub inet(?) and some little secrets
> > > in the TCP
> > > headers (I dont know exactly how it works):
> > > add check-state
> > > add pass icmp from any to any keep-state out xmit tun0
> > > add pass tcp from any to any setup keep-state out xmit tun0
> > > add pass udp from any to any domain keep-state out xmit tun0
> >
> > These are the stats of the first 7 rules on my DSL line afer one day:
> > 00100 6423992 376898110 allow ip from any to any via lo0
> > 00200 0 0 deny ip from any to 127.0.0.0/8
> > 00300 0 0 deny ip from 127.0.0.0/8 to any
> > 20000 0 0 check-state
> > 30000 10013 1047483 deny tcp from any to any established
> > 30100 226 45640 deny ip from any to any not verrevpath in
> > 30200 7 280 deny tcp from any to any tcpoptions !mss setup
> >
> > Another nice rule (stats after one day):
> > 30800 3149862 117471324 deny ip from any to
> > 0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 via tun0
>
> I am using something similar (with table instead of list filled from
> http://www.cymru.com/Documents/bogon-bn-agg.txt ).
>
> Your number seem to be extremely high to me - I have it on a router with
> thousands of public IPs behind it and see nowhere as many hits.
This is a 4.11-stable system.
# uptime
6:22PM up 1 day, 22:44, 1 user, load averages: 0.01, 0.05, 0.06
# ipfw -a show
00100 11653484 696947498 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
20000 0 0 check-state
30000 17150 1428089 deny tcp from any to any established
30100 235 48648 deny ip from any to any not verrevpath in
30200 16 640 deny tcp from any to any tcpoptions !mss setup
30300 0 0 deny ip from XXX
30400 0 0 allow ip from XXX
30500 275 48395 deny ip from any to 0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 via wi0
30600 0 0 deny ip from 192.168.1.0/24,192.168.2.0/24 to any in via tun0
30700 0 0 deny ip from any to 10.0.0.0/8,172.16.0.0/12 via tun0
30800 5713020 213062040 deny ip from any to 0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 via tun0
30900 0 0 deny ip from 10.0.0.0/8,172.16.0.0/12 to any via wi0
31000 0 0 deny ip from 0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 to any via wi0 31100 0 0 deny ip from 10.0.0.0/8,172.16.0.0/12 to any via tun0
31200 0 0 deny ip from 0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 to any via tun0
Maybe dial-up/DSL lines are more interesting to hack for the botnet
owners than whatever you have behind this router.
Bye,
Alexander.
--
Adelai: A package is just a box until it's delivered.
http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
More information about the freebsd-security
mailing list