Date: Tue, 4 Apr 2000 12:01:20 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: rayk@sugar-land.spc.slb.com (Keith Ray) Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw dynamic rules & tcp rst Message-ID: <200004040201.MAA24050@cairo.anu.edu.au> In-Reply-To: <4.3.1.2.20000403104253.00af9380@163.188.48.51> from Keith Ray at "Apr 3, 0 11:03:48 am"
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Keith Ray, sie said:
> I have been using the new dynamic ipfw rules in 4.0. I wanted to make the
> firewall react as though it didn't exist by returning TCP RSTs instead of
> just dropping the connection. However, the following rules do not work:
>
> 00400 check-state
> 00500 reset tcp from any to {myip} established
> 00600 reset tcp from {myip} to any established
> 00700 allow tcp from any to {myip} 22 keep-state setup
> 00800 reset tcp from any to {myip} setup
> 65535 deny ip from any to any
>
> When a connection comes in for a non-allowed port, rule 800 rejects the
> connection. However, rule 600 prevents the TCP RST from being sent and the
> connection is dropped. The following rules work however:
>
> 00300 allow tcp from {myip} to any
> 00400 check-state
> 00500 reset tcp from any to {myip} established
> 00600 allow tcp from any to {myip} 22 keep-state setup
> 00700 reset tcp from any to {myip} setup
> 65535 deny ip from any to any
>
> This time the connection is rejected and rule 300 allows the RST to be
> sent. Is there a better way of accomplishing this?
Yeah, use IP Filter.
Darren
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200004040201.MAA24050>