Julian H. Stacey
2006-Nov-11 16:16 UTC
src/etc/rc.firewall simple ${fw_pass} tcp from any to any established
Hi security@ list,
In my self written, large ipfw rule set, I had something that passed
http to allow me to browse most but not all remote sites. For years
I assumed the few sites I had difficulty with were cases pppoed MTU
!= 1500, from not having installed tcpmssd on my 4.*-RELEASE, but
then running 6.1-RELEASE I realised that wasn't the problem.
http://www.web.de Still failed, &
http://www.sueddeutsche.de Was slow.
I tried adding
${fwcmd} add pass tcp from any to any established
from src/etc/rc.firewall case - simple. Which solved it.
But I was scared, not undertstand what the established bit did, &
how easily an attacker might fake something, etc.
I found adding these tighter rules instead worked for me
${fwcmd} tcp from any http to me established in via tun0
${fwcmd} tcp from me to any http established out via tun0
Should I still be worrying about established ?
Julian
--
Julian Stacey. BSD Unix C Net Consultancy, Munich/Muenchen http://berklix.com
Mail Ascii, not HTML. Ihr Rauch = mein allergischer Kopfschmerz.
http://berklix.org/free-software
R. B. Riddick
2006-Nov-11 19:01 UTC
src/etc/rc.firewall simple ${fw_pass} tcp from any to any established
--- "Julian H. Stacey" <jhs@flat.berklix.net> wrote:> I tried adding > ${fwcmd} add pass tcp from any to any established > from src/etc/rc.firewall case - simple. Which solved it. > But I was scared, not undertstand what the established bit did, & > how easily an attacker might fake something, etc. > I found adding these tighter rules instead worked for me > ${fwcmd} tcp from any http to me established in via tun0 > ${fwcmd} tcp from me to any http established out via tun0 > Should I still be worrying about established ? >Hmm... I personally use "check-states" and "keep-state", so that it is not enough to fake the "established" flags, but the attacker had to know the ports, the IPs, control over routing in pub inet(?) and some little secrets in the TCP headers (I dont know exactly how it works): add check-state add pass icmp from any to any keep-state out xmit tun0 add pass tcp from any to any setup keep-state out xmit tun0 add pass udp from any to any domain keep-state out xmit tun0 Furthermore I use pf on the same box, too, so that a bug in ipfw is not enough... :-) -Arne ____________________________________________________________________________________ Yahoo! Music Unlimited Access over 1 million songs. http://music.yahoo.com/unlimited
Dan Lukes
2006-Nov-11 19:19 UTC
src/etc/rc.firewall simple ${fw_pass} tcp from any to any established
R. B. Riddick napsal/wrote, On 11/11/06 20:00:>> But I was scared, not undertstand what the established bit did, & >> how easily an attacker might fake something, etc....>> Should I still be worrying about established ?> Hmm... I personally use "check-states" and "keep-state", so that it is notStatefull rules can stop the sophisticated intruder, but are often more vulnerable to DoS attacks. Every method has pros and cons ... Dan -- Dan Lukes SISAL MFF UK AKA: dan@obluda.cz, dan@freebsd.cz,dan@kolej.mff.cuni.cz
Giorgos Keramidas
2006-Nov-11 22:04 UTC
src/etc/rc.firewall simple ${fw_pass} tcp from any to any established
On 2006-11-11 17:08, "Julian H. Stacey" <jhs@flat.berklix.net> wrote:> Hi security@ list, > In my self written, large ipfw rule set, I had something that passed > http to allow me to browse most but not all remote sites. For years > I assumed the few sites I had difficulty with were cases pppoed MTU > != 1500, from not having installed tcpmssd on my 4.*-RELEASE, but > then running 6.1-RELEASE I realised that wasn't the problem. > > http://www.web.de Still failed, & > http://www.sueddeutsche.de Was slow. > > I tried adding > > ${fwcmd} add pass tcp from any to any established > > from src/etc/rc.firewall case - simple. Which solved it. > But I was scared, not undertstand what the established bit did, & > how easily an attacker might fake something, etc. > I found adding these tighter rules instead worked for me > > ${fwcmd} tcp from any http to me established in via tun0 > ${fwcmd} tcp from me to any http established out via tun0 > > Should I still be worrying about established ?In general, I prefer stateful rulesets, which eliminate the need for 'established' rules. This would be something like: ${fwcmd} check-state ${fwcmd} tcp from me to any http out via tun0 keep-state ${fwcmd} tcp from me to any ssh out via tun0 keep-state [...] This may create problems with connections whose entries time out before something is received back from the other end, but IMHO this is much better than the possibility of someone 'abusing' the 'established' check to poke holes through the firewall ruleset.
Alexander Leidinger
2006-Nov-12 05:20 UTC
src/etc/rc.firewall simple ${fw_pass} tcp from any to anyestablished
Quoting "R. B. Riddick" <arne_woerner@yahoo.com> (from Sat, 11 Nov 2006 11:00:49 -0800 (PST)):> --- "Julian H. Stacey" <jhs@flat.berklix.net> wrote: >> I tried adding >> ${fwcmd} add pass tcp from any to any established >> from src/etc/rc.firewall case - simple. Which solved it. >> But I was scared, not undertstand what the established bit did, & >> how easily an attacker might fake something, etc. >> I found adding these tighter rules instead worked for me >> ${fwcmd} tcp from any http to me established in via tun0 >> ${fwcmd} tcp from me to any http established out via tun0 >> Should I still be worrying about established ? >> > Hmm... I personally use "check-states" and "keep-state", so that it is not > enough to fake the "established" flags, but the attacker had to know > the ports, > the IPs, control over routing in pub inet(?) and some little secrets > in the TCP > headers (I dont know exactly how it works): > add check-state > add pass icmp from any to any keep-state out xmit tun0 > add pass tcp from any to any setup keep-state out xmit tun0 > add pass udp from any to any domain keep-state out xmit tun0These are the stats of the first 7 rules on my DSL line afer one day: 00100 6423992 376898110 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 20000 0 0 check-state 30000 10013 1047483 deny tcp from any to any established 30100 226 45640 deny ip from any to any not verrevpath in 30200 7 280 deny tcp from any to any tcpoptions !mss setup Another nice rule (stats after one day): 30800 3149862 117471324 deny ip from any to 0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 via tun0 Bye, Alexander. -- Committees have become so important nowadays that subcommittees have to be appointed to do the work. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
Michal Mertl
2006-Nov-12 17:19 UTC
src/etc/rc.firewall simple ${fw_pass} tcp from any to anyestablished
Alexander Leidinger p??e v so 11. 11. 2006 v 21:32 +0100:> Quoting "R. B. Riddick" <arne_woerner@yahoo.com> (from Sat, 11 Nov > 2006 11:00:49 -0800 (PST)): > > > --- "Julian H. Stacey" <jhs@flat.berklix.net> wrote: > >> I tried adding > >> ${fwcmd} add pass tcp from any to any established > >> from src/etc/rc.firewall case - simple. Which solved it. > >> But I was scared, not undertstand what the established bit did, & > >> how easily an attacker might fake something, etc. > >> I found adding these tighter rules instead worked for me > >> ${fwcmd} tcp from any http to me established in via tun0 > >> ${fwcmd} tcp from me to any http established out via tun0 > >> Should I still be worrying about established ? > >> > > Hmm... I personally use "check-states" and "keep-state", so that it is not > > enough to fake the "established" flags, but the attacker had to know > > the ports, > > the IPs, control over routing in pub inet(?) and some little secrets > > in the TCP > > headers (I dont know exactly how it works): > > add check-state > > add pass icmp from any to any keep-state out xmit tun0 > > add pass tcp from any to any setup keep-state out xmit tun0 > > add pass udp from any to any domain keep-state out xmit tun0 > > These are the stats of the first 7 rules on my DSL line afer one day: > 00100 6423992 376898110 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 20000 0 0 check-state > 30000 10013 1047483 deny tcp from any to any established > 30100 226 45640 deny ip from any to any not verrevpath in > 30200 7 280 deny tcp from any to any tcpoptions !mss setup > > Another nice rule (stats after one day): > 30800 3149862 117471324 deny ip from any to > 0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 via tun0I am using something similar (with table instead of list filled from http://www.cymru.com/Documents/bogon-bn-agg.txt ). Your number seem to be extremely high to me - I have it on a router with thousands of public IPs behind it and see nowhere as many hits. Michal This is pretty unbelievable to me as I have similar (and more encompassing) rule on a router serving thousands of> > Bye, > Alexander. >