TCP established flag & ipfw rule

Justin Walker justin at
Sun Feb 29 14:44:16 PST 2004

On Saturday, February 28, 2004, at 04:51 PM, J.T. Davies wrote:

> Hello everyone,
> I'm on the road to setting up a (hopefully) secure firewall to keep 
> the bad
> people out.
> I got to thinking -- I see (semi-frequently) in docs a rule at the top 
> of
> the list much like:
> ipfw add 100 allow ip from any to any established
> ...and here's where the thinking part comes in...
> Is it possible to (spoof isn't the correct verbage) override the TCP 
> flags
> on packets, thereby defeating the intent of the aforementioned rule?  I
> mean, if I had the knowledge (and the evil intent to do so) to create a
> program that added the EST flag onto the TCP packets...rule 100 would 
> accept
> the packet, thereby allowing access to anything behind the 
> Thoughts? Or is this a non-issue due to the stringent authoring of the
> TCP/IP protocol?

I'm not sure I follow your ideas.  There is no 'EST' flag in a TCP 
packet.  The "ESTABLISHED" state is kept at either end of the 
connection, not in the packets themselves.   In addition, the two ends 
may not have the same state.



/~\ The ASCII           Justin C. Walker, Curmudgeon-at-Large
\ / Ribbon Campaign
  X  Help cure HTML Email
/ \

More information about the freebsd-ipfw mailing list