From owner-freebsd-questions Wed Feb 17 6:49: 0 1999 Delivered-To: freebsd-questions@freebsd.org Received: from mailhub.scl.ameslab.gov (mailhub.scl.ameslab.gov [147.155.137.127]) by hub.freebsd.org (Postfix) with ESMTP id C6B4C10E7B for ; Wed, 17 Feb 1999 06:48:57 -0800 (PST) (envelope-from ghelmer@scl.ameslab.gov) Received: from demios.ether.scl.ameslab.gov ([147.155.137.54]) by mailhub.scl.ameslab.gov with esmtp (Exim 1.90 #1) id 10D8I1-0006Mw-00; Wed, 17 Feb 1999 08:49:25 -0600 Date: Wed, 17 Feb 1999 08:48:50 -0600 From: Guy Helmer To: Dave Richards Cc: freebsd-questions@freebsd.org Subject: Re: "established" firewall rule In-Reply-To: <36CA32D3.FB01EAE5@richcon.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, 16 Feb 1999, Dave Richards wrote: > Hi All, > I was recently the victim of a security breach on my FreeBSD 2.5 box > (the fault of Qualcomm's Qpopper 2.4 daemon, NOT FreeBSD). It was not > pretty.. trojan horse programs all over... As a result, I reinstalled > with 2.8 and a firewall-enabled kernel. I think it's pretty secure now, > except for one question: > > Can packets matching the "established" firewall rule be forged? I put > the following line early in my firewall to improve performance: > > ipfw allow tcp from any to any established > > ....but I'm still a little worried that some crackerjack can forge > packets by setting the RST or ACK bits in his packets to fool the > firewall. Is this do-able??? Thanks for any insights... Any TCP segment without the SYN bit set could get through this rule. A TCP connection can only be initiated by a packet with the SYN bit set, so this rule won't allow an attacker to connect to arbitrary ports on your machine. The "established" rule will allow stealth scanning (sending packets without the SYN bit set to arbitrary ports on your machine to probe what your machine is doing), but you can reduce your exposure by not running services you don't need (such as rsh/rlogin/rexec, telnet, ftp, etc.). Depending on your rules, the established rule could allow outgoing connections that you wouldn't ordinarily allow, such as if your rules otherwise allow outgoing connections only to certain ports (e.g., port 80); arranging your rules properly should avoid this possibility. If there are other significant exposures due to the "established" rule, I'd like to hear someone else chime in about them. Guy Guy Helmer, Ph.D. Candidate, Iowa State University Dept. of Computer Science Research Assistant, Ames Laboratory --- ghelmer@scl.ameslab.gov Research Assistant, Dept. of Computer Science --- ghelmer@cs.iastate.edu http://www.cs.iastate.edu/~ghelmer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message