From owner-freebsd-questions  Thu Jun  7 16:34:11 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from mail.the-i-pa.com (mail.the-i-pa.com [151.201.71.132])
	by hub.freebsd.org (Postfix) with SMTP id F0AAE37B403
	for <freebsd-questions@freebsd.org>; Thu,  7 Jun 2001 16:34:08 -0700 (PDT)
	(envelope-from wmoran@iowna.com)
Received: (qmail 9154 invoked from network); 7 Jun 2001 23:42:33 -0000
Received: from unknown (HELO iowna.com) (151.201.71.193)
  by mail.the-i-pa.com with SMTP; 7 Jun 2001 23:42:33 -0000
Message-ID: <3B200EEF.86F950D1@iowna.com>
Date: Thu, 07 Jun 2001 19:31:59 -0400
From: Bill Moran <wmoran@iowna.com>
X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-RELEASE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: patl@Phoenix.Volant.ORG
Cc: Josh Thomas <jdt2101@ksu.edu>, freebsd-questions@freebsd.org
Subject: Re: IPFW rules and outward connections
References: <ML-3.4.991954966.2085.patl@asimov.phoenix.volant.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

patl@Phoenix.Volant.ORG wrote:

> > Will allow the IP listed to initiate a ssh connection to anyone or
> > receive a ssh connection from anyone, while the second rule ensures that
> > the connection can continue to communicate and the final rule blocks
> > anything that doesn't fit into the first category.
> > tcp communications must establish themselves, therefore anything that is
> > not specifically allowed to "setup" will never get to the "established"
> > state. (it's probably best, for speed, to always put the "established"
> > rule near the beginning of your ruleset)
> 
> But some l33t h4x0r can craft bogus packets which -claim- to be part
> of a non-existant established connection.

ph33r m3!!! :p ... silly h4x0r5p33k.
I'm curious, then. Do you feel that dynamic rules are more secure then?
So far it appears the ipfw rulesets I've put together have scared off
anyone with malicious intent, as I've not yet had a break-in. But that
doesn't mean my boxes are 100%.
Really, just about any ruleset can be breached by someone with enough
time/knowledge. Do you know of any way that a forged
established-connection packet can do anything more than DoS? There are
other defenses to be taken against DoS, such as rate limiting, etc.
Don't mean to take this off-topic (am I?) but I'm alway on the lookout
to see what more I can learn about security.

-Bill

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message