TCP established flag & ipfw rule

J.T. Davies jtd at
Sun Feb 29 15:27:09 PST 2004

> > I got to thinking -- I see (semi-frequently) in docs a rule at the top
> > of
> > the list much like:
> >
> > ipfw add 100 allow ip from any to any established
> >
> > ...and here's where the thinking part comes in...
> >
> > Is it possible to (spoof isn't the correct verbage) override the TCP
> > flags
> > on packets, thereby defeating the intent of the aforementioned rule?  I
> > mean, if I had the knowledge (and the evil intent to do so) to create a
> > program that added the EST flag onto the TCP packets...rule 100 would
> > accept
> > the packet, thereby allowing access to anything behind the
> >
> >
> > Thoughts? Or is this a non-issue due to the stringent authoring of the
> > TCP/IP protocol?
> I'm not sure I follow your ideas.  There is no 'EST' flag in a TCP
> packet.  The "ESTABLISHED" state is kept at either end of the
> connection, not in the packets themselves.   In addition, the two ends
> may not have the same state.
> Regards,
> Justin

Ok, the Cliff Notes on TCP failed me...guess I gotta take TCP101 class

I re-read the man page for IPFW (and didn't blink this time).  The
"established" rule matches on RST or ACK.

To clarify, instead of "EST" in my original post, replace with "ACK".  Could
some unscrupulous person add the "ACK" flag to the TCP packets and be
accepted by this rule (even though they may not technically be "ACK")?  [Or
am I just talking out my butt here]

Or, to put the question more generally...could a "hacker" change the
flags/bits of the TCP packet at their whim?


More information about the freebsd-ipfw mailing list