Date: Mon, 15 Jul 2002 19:48:13 +0400 From: "Dmitry S. Rzhavin" <dima@rt.ru> To: security@FreeBSD.ORG Subject: Re: ipfw and keep-state Message-ID: <3D32EEBD.E66100A1@rt.ru> References: <3D32D849.E3D8F2BE@rt.ru> <xzp1ya583vj.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Dag-Erling Smorgrav wrote:
>
> "Dmitry S. Rzhavin" <dima@rt.ru> writes:
> > 10 pass tcp from any to ip2 in keep-state setup
> > ... nothing interesting here
> > 20 deny tcp from any to ip2
> >
> >
> > Or, in other words, I want to pre-auth some packet with rile 10 to
> > check it later. Then, I decide to drop it.
> > But ipfw creates dynamic rule "inet <-> ip1" and passes this
> > session. I think this is not good. Why does ipfw works this way?
>
> That's what you asked it to do. Rule 10 basically says "if the packet
> is a tcp SYN packet destined for ip2, stop examining it, let it
> through
nonono! Rule 10 says "let it _in_", not out! Or:
--------------
-------- |IPFW is here|
|packet|==[flows in]=>in_if---- out_if
-------- |packet|==>X |
--------------
fly in is allowed ^^^ ^^^ packet dies here
So, I expect (at least) dynamic rule to be "pass ip from inet to ip1 _in_".
Or, as the best solution, rule "in" creates dynamic candidate, and stateful
dynamic rule is created only if packet is allowed to go out. If packet dies
inside ipfw, rule dies too.
So, the question is: why this is bad? Why FreeBSD Team choosed to create
dynamic rule "in/out" for "in" static rule? Is it a bug, or a feature?
>, and remember to let all similar packets through in the
> future"
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D32EEBD.E66100A1>