From owner-freebsd-stable Mon Jan 14 21:18:13 2002 Delivered-To: freebsd-stable@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 20AD537B405 for ; Mon, 14 Jan 2002 21:18:09 -0800 (PST) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id WAA08604; Mon, 14 Jan 2002 22:16:59 -0700 (MST) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id g0F5GxN00515; Mon, 14 Jan 2002 22:16:59 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15427.47946.824547.114063@caddis.yogotech.com> Date: Mon, 14 Jan 2002 22:16:58 -0700 To: Matthew Whelan Cc: Richard Nyberg , nate@yogotech.com (Nate Williams), Ian , Rolandas Naujikas , stable@FreeBSD.ORG Subject: Re: tcp keepalive and dynamic ipfw rules In-Reply-To: References: <15427.13548.266651.846138@caddis.yogotech.com> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > >> My solution to keep my ssh sessions from hanging because I made a cup > >> of coffe was to up the syctl MIB 'net.inet.ip.fw.dyn_ack_lifetime' to > >> a more reasonable value. > > > >So, non-active TCP sessions can now get packets through since the > >lifetime of the rules now exceed the lifetime of many of your TCP > >sessions, so I can now watch your firewall and punch packets through it > >by analyzing the data. > > > >(In short, anyone good enough to punch through packets using the other > >firewall setup is also capable of punching through packets with extended > >lifetime TCP dynamic rules.) > > Is ipfw really that dumb? I admit I've never really fiddled with it as, > being a gamer, I wanted NAT not to have to do the kernel->userland->kernel > transitions so chose ipf/ipnat... I'm pretty sure from watching the ipfstat > output that ipf is picking up the FINs and dropping the TTL on dynamic rules > when TCP sockets are properly closed (admittedly UDP still presents the > possibility of problems but the default timeout there is rather > shorter). As I understand, IPF's dynamic rules are *much* better than IPFW's, yes. > I > haven't seen any ipfw vs ipf comparisons mention this; if ipfw genuinely is > incapable of spotting the end of a TCP connection (assuming the FINs are > seen both ways), personally I'd think that a strong reason to advocate ipf > as being preferable to ipfw where dynamic rules are needed It is, but the use of dynamic rules doesn't necessarily buy you *that* much security. > Besides, it seems to me that given the sort of hacker/script capable of > exploiting such a weakness, 5 minutes' vulnerability is pretty much as bad > as 10 days'... after all, they must be recording the traffic as it happens > to know which port to attack. The vulnerability of being able to push through hacked packets isn't as bad as it might sound, since you'd have to have something listening on the other end that blew up with said packets. Getting packets out is a harder problem. :) It's much easier to cause a virus on the remote end which initiates the connection, and no simple packet filtering firewall is going to stop those kinds of attacks. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message