From owner-freebsd-questions Tue Feb 16 19: 9:52 1999 Delivered-To: freebsd-questions@freebsd.org Received: from ns1.richcon.com (www.richcon.com [207.174.22.199]) by hub.freebsd.org (Postfix) with ESMTP id 3D57A1116A for ; Tue, 16 Feb 1999 19:09:02 -0800 (PST) (envelope-from dave@richcon.com) Received: from richcon.com (adoptex1.hcp.net [207.174.123.249]) by ns1.richcon.com (8.8.8/8.8.5) with ESMTP id UAA02441 for ; Tue, 16 Feb 1999 20:28:12 GMT Message-ID: <36CA32D3.FB01EAE5@richcon.com> Date: Tue, 16 Feb 1999 20:09:07 -0700 From: Dave Richards Reply-To: dave@richcon.com Organization: Richards Consulting X-Mailer: Mozilla 4.06 [en] (Win95; I) MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: "established" firewall rule Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi All, I was recently the victim of a security breach on my FreeBSD 2.5 box (the fault of Qualcomm's Qpopper 2.4 daemon, NOT FreeBSD). It was not pretty.. trojan horse programs all over... As a result, I reinstalled with 2.8 and a firewall-enabled kernel. I think it's pretty secure now, except for one question: Can packets matching the "established" firewall rule be forged? I put the following line early in my firewall to improve performance: ipfw allow tcp from any to any established ...but I'm still a little worried that some crackerjack can forge packets by setting the RST or ACK bits in his packets to fool the firewall. Is this do-able??? Thanks for any insights... -- Sincerely, =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= David A Richards, CNE, Network Consultant Denver CO Richards Consulting Unix/Novell/WinNT/Web+Database+CGI E-mail: mailto:dave@richcon.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message